Page MenuHome GnuPG
Create Task
Maniphest T1764

NET::ERR_CERT_AUTHORITY_INVALID
Closed, InvalidPublic
Actions

Description

Google Chrome doesn't want people to go to https://bugs.gnupg.org/gnupg/issue?
%40sort=id&%40sortdir=on&%40group=category&%40columns=id%2Cactivity%2Ctitle%2Ccr
eator%2Cassignedto%2Cstatus&%40filter=status&status=-1%2C1%2C2%2C3%2C4%2C5%2C6%2
C7&%40pagesize=50&%40startwith=0

Which is the link provided on http://bugs.g10code.com/. Google Chrome also
complains just trying to go to https://bugs.gnupg.org/

All that a user of Google Chrome sees (on Arch Linux anyway) when trying to
visit https://bugs.gnupg.org/ is the following:

Your connection is not private

Attackers might be trying to steal your information from
bugs.gnupg.org (for example, passwords, messages, or credit cards)

In order to actually get to the site, I had to click "advanced" which displayed:

This server could not prove that it is bugs.gnupg.org; its security
certificate is not trusted by your computer's operating system. This
may be caused by a misconfiguration or an attacker intercepting your
connection.

Proceed to bugs.gnupg.org (unsafe)

So, I clicked "Proceed to bugs.gnupg.org (unsafe)". This is a major
discouragement to people trying to file or view bugs, and is especially
embarrassing for this website dedicated to security.

In more faint text, there is another link, and clicking on it shows this
information:

NET::ERR_CERT_AUTHORITY_INVALID

Subject: kerckhoffs.g10code.com
Issuer: kerckhoffs.g10code.com
Expires on: Apr 5, 2063
Current date: Nov 18, 2014
PEM encoded chain: -----BEGIN CERTIFICATE-----
MIICRjCCAa+gAwIBAgIIDSo8bIfHxccwDQYJKoZIhvcNAQEFBQAwITEfMB0GA1UE
AxMWa2VyY2tob2Zmcy5nMTBjb2RlLmNvbTAgFw0xMjA2MDYwODEyNDJaGA8yMDYz
MDQwNTE3MDAwMFowITEfMB0GA1UEAxMWa2VyY2tob2Zmcy5nMTBjb2RlLmNvbTCB
nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA5h+uKRenpvbe+BnMY6siPO50LVyg
HtB7kr+YISlPJ5JAFO12yQFz9Y0sBLHbjR+V+TOawwP1dZhGjlgnEBkMdWKuEBlS
wFTALLX78GAyvAYAmPqSPDEYXkMECyUXVX/bbGI1bY8Y2OGy4w4D+v7e+xD2NBkm
Bj5cNy+YMbGVldECAwEAAaOBhDCBgTBbBgNVHREEVDBSgg93d3cuZzEwY29kZS5j
b22CC2cxMGNvZGUuY29tgg9mdHAuZzEwY29kZS5jb22CEGJ1Z3MuZzEwY29kZS5j
b22CD2dpdC5nMTBjb2RlLmNvbTARBgorBgEEAdpHAgIBBAMBAf8wDwYDVR0TAQH/
BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQDGDNelJja0+U+wq+5xUkRK5RaMq7mZ
WPQxwaufNFtwPQQRwUU6lEP8oyVlLbQIDzE3WYl3/jvRouyPWVFwNK4WyzcF1+jQ
G1o46cnmXSnSY9SOq0g7VOMtSTYOd6B5a0O0Zjw/2UDZoybEtWX9ykPUCMjdcPS9
AagLiQClgihTCQ==
-----END CERTIFICATE-----

Details

Version
Nov 18, 2014

Event Timeline

colinkeenan set Version to Nov 18, 2014.Nov 19 2014, 5:07 AM
colinkeenan added projects: gpgweb, Bug Report.
colinkeenan added a subscriber: colinkeenan.
werner added a subscriber: werner.Nov 19 2014, 11:12 AM

The entire X.509 based system is unsafe - it just does not work.
To save the costs and trouble I use a self-signed certificate for this site.

Or is that that Chrome is not able to handle an expiration time set to the day
of First Contact? Icanga has such a year 2038 problem, but I bet Chrome can
handle it.

werner closed this task as Invalid.Nov 19 2014, 11:12 AM
werner lowered the priority of this task from High to Normal.
werner removed a project: Bug Report.
colinkeenan added a comment.Nov 19 2014, 5:02 PM

You say Chrome should be able to handle it, but it's not. I am using
the most up-to-date version of Chrome available for Linux: Version
40.0.2214.6 dev (64-bit), and it is not handling the certificate
properly. The wording of the "advanced" message indicates this is the
fault of my operating system. If this is a bug of Arch Linux, what
package would I file the bug against?

werner added a comment.Nov 20 2014, 4:18 PM

Chrome? I don't know. Using self-signed certificates is pretty common.

colinkeenan added a comment.Nov 20 2014, 5:48 PM

You have marked this resolved so may not look at it anymore. I should
not have made this seem to be a Chrome issue. Firefox is the same and
their detailed message is more helpful:

bugs.gnupg.org uses an invalid security certificate.

The certificate is not trusted because it is self-signed.
The certificate is only valid for the following names:
www.g10code.com, g10code.com, ftp.g10code.com, bugs.g10code.com,

git.g10code.com

(Error code: sec_error_unknown_issuer)

colinkeenan added a comment.Nov 20 2014, 5:59 PM

I don't get the message while signed in of course, but going incognito
or the next day, the message is back.

How is any browser supposed to trust a self-signed certificate if the
issuer is unknown to the browser? Is there something I can add to my
OS that will let it know you are the issuer?

I have seen this issue before, even on bank sites, going back 5 years
at least. I would like to know if there is a general solution.

werner added a comment.Aug 11 2015, 12:28 PM

should be fixed for quite some time now.