Opened 14 years ago
Last modified 9 years ago
#5633 closed Bug report
Be less trusting of trusted certificates — at Initial Version
| Reported by: | putte | Owned by: | |
|---|---|---|---|
| Priority: | high | Component: | FileZilla Client |
| Keywords: | ssl, mitm | Cc: | |
| Component version: | Operating system type: | Linux | |
| Operating system version: |
Description
When FileZilla is told to trust a self-signed certificate, that certificate will be accepted for any connection. For example, if I trust a certificate from some random guy for my connection to ftp.randomguy.net, that certificate will also be treated as valid for filezilla-project.org, google.com, sourceforge.net and so on.
The certificate (or rather FileZillas trust in the certificate) ought to be bound to a specific hostname or to a specific site in the site manager.
Steps to reproduce the problem:
- Generate a valid self-signed certificate and configure an FTP server to use it.
- Connect to the server with FileZilla and choose to trust the certificate.
- Copy the same certificate to a different FTP server (and set it up).
- Connect to this second server with FileZilla.
The result: FileZilla connects without warnings to the second server, even though the certificate belongs to a completely different server.
Software versions: FileZilla 3.3.4.1, GnuTLS 2.8.6
Note:
See TracTickets
for help on using tickets.
Firefox: Preferences -> Advanced -> Encryption -> View Certificates