Opened 14 years ago
Closed 6 years ago
#6533 closed Bug report (wontfix)
FileZilla-Server endangers SSL-connections!
Reported by: | Alex | Owned by: | |
---|---|---|---|
Priority: | normal | Component: | FileZilla Server |
Keywords: | Cc: | ||
Component version: | Operating system type: | Windows | |
Operating system version: | 5.1.2600 |
Description
After creation of the Security Certificate via FileZilla-Server v0.9.37 beta keeps PRiVATE_KEY into the Security_Certificate!
It is wrong and is inadmissible!
As a result of creation of the Security Certificate 2 files should be created:
- A file containing PRiVATE_KEY, for example 'pgp1.skey'
- A file containing SECURiTY_CERTiFiCATE.
(!) Inside of the Security Certificate should NOT be located PRiVATE KEY!
SECURiTY CERTiFiCATE is intended for free distribution in Internet and should NOT contain confidential data!
PRiVATE KEY should be stored only at the Owner of the Security Certificate.
This dangerous mistake is necessary for correcting URGENTLY since FileZilla Server subjects to the big risk of many users, exchanging confidential data.
I have attached the sample of the CERTIFICATE created by means of FileZilla-Server v0.9.37 beta (inside of a file contains RSA_PRiVATE_KEY).
P.S.
As a whole I express gratitude for very useful and convenient program FileZilla FTP Client!
Attachments (1)
Change History (4)
by , 14 years ago
Attachment: | example_com.crt added |
---|
comment:1 by , 14 years ago
Priority: | critical → normal |
---|
Not critical as this bug is not a remotely exploitable security vulnerability.
comment:2 by , 8 years ago
Triage suggestion
There has been no movement on this ticket in 6 years.
I recommend closing the ticket as "wontfix" (unless it's been fixed, of course!).
comment:3 by , 6 years ago
Resolution: | → wontfix |
---|---|
Status: | new → closed |
Hopefully this has been fixed in the last eight years, but since there have been no additional changes to this ticket, I'm closing it.
Security_Certificate contains RSA_PRiVATE_KEY !!!