Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#11934 closed Bug report (rejected)

update.filezilla-project.org using self-signed certificate

Reported by: n8felton Owned by:
Priority: low Component: Other
Keywords: update certificate https ssl tls Cc:
Component version: Operating system type:
Operating system version:

Description

Attempting to connect to update.filezilla-project.org is failing due to HSTS and the server using a self-signed certificate rather than a public CA or Let's Encrypt.

Attachments (1)

Screen Shot 2019-06-03 at 3.35.31 PM.png (134.2 KB ) - added by n8felton 6 years ago.

Download all attachments as: .zip

Change History (6)

comment:1 by Tim Kosse, 6 years ago

Resolution: rejected
Status: newclosed

It doesn't use a self-signed certificate.

comment:2 by Tim Kosse, 6 years ago

If you see it using a self-signed certificate then a malicious man-in-the-middle proxy is intercepting and modifying your traffic.

comment:3 by Tim Kosse, 6 years ago

Priority: blockerlow

comment:4 by n8felton, 6 years ago

It appears to be signed by filezilla-project.org, which does not appear to be a part of any trusted roots provided by macOS or Windows.

While it may not be "self-signed", the root that it is signed by is not trusted.

comment:5 by Tim Kosse, 6 years ago

Since trust cannot be delegated, it's the one and only CA trusted by the FileZilla update mechanism.

All third-party software and hardware interfering with the update mechanism is considered malware. Please remove all malware from your environment.

Note: See TracTickets for help on using tickets.