[Discuss] server certificates for the https protocol
Steven Kurylo
sk at infinitepigeons.org
Mon Jan 28 14:20:41 PST 2008
On Jan 27, 2008 12:56 PM, Alan W. Irwin <irwin at beluga.phys.uvic.ca> wrote:
> Could somebody give me a brief description of what server certificates are
> and the practical steps I should take to deal with invalid ones?
>
> For example, I am currently getting the following message from an svn commit
> to SF
>
> software at raven> svn commit .
> Error validating server certificate for 'https://lasi.svn.sourceforge.net:443':
> - The certificate is not issued by a trusted authority. Use the
> fingerprint to validate the certificate manually!
> Certificate information:
> - Hostname: *.svn.sourceforge.net
> - Valid: from Tue, 09 Oct 2007 14:15:07 GMT until Mon, 08 Dec 2008 15:15:07 GMT
> - Issuer: Equifax Secure Certificate Authority, Equifax, US
> - Fingerprint: fb:75:6c:40:58:ae:21:8c:63:dd:1b:7b:6a:7d:bb:8c:74:36:e7:8a
> (R)eject, accept (t)emporarily or accept (p)ermanently?
>
> Is this the fault of SourceForge or Equifax or is there a real security
> concern here?
Its telling you the cert is signed by Equifax Secure Certificate
Authority, Equifax, US but you don't trust them.
In an ideal world you'll verify the fingerprint against a trusted
source. They don't seem to list their fingerprints on their website,
even if you decided to trust it.
Firefox comes with a lot of Equifax certificates, so you could see if
firefox already trusts it.
The paranoid hat could be that your DNS could be poisoned and you're
not looking at the real sourceforge server. The hacker is using the
Equifax name on their certificate to try to trick you.
More likely your OS just doesn't have the latest equifax cert installed.
--
Steven Kurylo
More information about the Discuss
mailing list