#11934 closed Bug report (rejected)
update.filezilla-project.org using self-signed certificate
| Reported by: | n8felton | Owned by: | |
|---|---|---|---|
| Priority: | low | Component: | Other |
| Keywords: | update certificate https ssl tls | Cc: | |
| Component version: | Operating system type: | ||
| Operating system version: |
Description
Attempting to connect to update.filezilla-project.org is failing due to HSTS and the server using a self-signed certificate rather than a public CA or Let's Encrypt.
Attachments (1)
Change History (6)
comment:1 by , 5 years ago
| Resolution: | → rejected |
|---|---|
| Status: | new → closed |
comment:2 by , 5 years ago
If you see it using a self-signed certificate then a malicious man-in-the-middle proxy is intercepting and modifying your traffic.
comment:3 by , 5 years ago
| Priority: | blocker → low |
|---|
by , 5 years ago
| Attachment: | Screen Shot 2019-06-03 at 3.35.31 PM.png added |
|---|
comment:4 by , 5 years ago
It appears to be signed by filezilla-project.org, which does not appear to be a part of any trusted roots provided by macOS or Windows.
While it may not be "self-signed", the root that it is signed by is not trusted.
comment:5 by , 5 years ago
Since trust cannot be delegated, it's the one and only CA trusted by the FileZilla update mechanism.
All third-party software and hardware interfering with the update mechanism is considered malware. Please remove all malware from your environment.
It doesn't use a self-signed certificate.