Please install a valid certificate to protect users of software that is * relying on content of unsigend latest-* file content or * analysing the directory listing (e.g. for determining latest/available content by themselves) from * rollback attacks and * indefinite freeze attacks through means of man-in-the-middle attacks. Firefox is saying: distfiles.gentoo.org uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The certificate is not valid for any server names. The certificate expired on 17.03.2012 12:20. The current time is 04.07.2015 01:21. Many thanks!
We do not run distfiles.g.o ourselves; that's done by sponsors. I wasn't aware any of the IPs even supported HTTPS. I checked all 5 IPs: distfiles.gentoo.org. 7200 IN A 156.56.247.195 distfiles.gentoo.org. 7200 IN A 216.165.129.135 distfiles.gentoo.org. 7200 IN A 137.226.34.42 distfiles.gentoo.org. 7200 IN A 140.211.166.134 distfiles.gentoo.org. 7200 IN A 64.50.236.52 Only 156.56.247.195, which is run by IU, actually supports HTTPS, and gives that expired certificate. Given that right now would be a major security problem to give each mirror an SSL certificate that runs a distfiles, i'm going to ask IU to disable HTTPS on their mirror for now. Later on, we will have to re-evaluate this, but it will probably be converting distfiles.g.o to a redirection service, and serving a much-limited set of results for HTTPS queries.
Closing old bugs out. SSL is available via bouncer redirection at this time: https://bouncer.gentoo.org/fetch/distfiles/all/ (append the file you want on the end)
*** Bug 705952 has been marked as a duplicate of this bug. ***
