Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 263595

Summary: SSL Blacklist Add-On on firefox prints a warning about insecure Ca-certificate (md5) on https://bugs.gentoo.org/
Product: Gentoo Infrastructure Reporter: Matt <jackdachef>
Component: BugzillaAssignee: Bugzilla Admins <bugzilla>
Status: RESOLVED DUPLICATE    
Severity: critical    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Matt 2009-03-24 14:01:20 UTC 
the SSL Blacklist Add-On on firefox warns about the ca-certificate https://bugs.gentoo.org uses being insecure

(see: http://blogs.zdnet.com/security/?p=2339)

(for a description of SSL Blacklist: http://www.codefromthe70s.org/sslblacklist.aspx)

Reproducible: Always



Expected Results:  
https://bugs.gentoo.org should at least have a sha1- or sha2-based ca-certificate and later if possible sha3

I marked this critical since it's a security problem and gentoo infrastructure has a high probability to be attacked/abused (subjective opinion)

thanks for your attention
Comment 1 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2009-03-25 00:54:00 UTC 
Please search properly for bugs.

The blacklist is a !@#!@ piece of junk that doesn't recognize the different between the CA's certificate and the actual site's certificate.

Our site cert is SHA1, the CA is still on MD5. Read the original bug.

*** This bug has been marked as a duplicate of bug 256437 ***