Ask Your Question
2

Is bugzilla.rpmfusion.org safe?

asked 2014-05-29 17:40:54 -0500

Bucic gravatar image

Firefox has just asked me whether I want to add a security exception to get to the website.

edit retag flag offensive close merge delete

Comments

bugzilla.rpmfusion.org now have a good certificate , trusted by firefox.

sergiomb gravatar imagesergiomb ( 2016-09-30 23:11:39 -0500 )edit

4 Answers

Sort by ยป oldest newest most voted
1

answered 2014-05-30 01:10:26 -0500

FranciscoD_ gravatar image

It's safe. They probably have an outdated certificate. You can request them to update it on their mailing list.

edit flag offensive delete link more
2

answered 2014-05-30 09:45:08 -0500

bugzilla.rpmfusion.org is "safe", sure. If you get there, I trust them to not share your password or do anything nefarious with your account. Of course, anything you put into a bug report will be public, and the information should be made safe before you submit it.

If you get a security exception message, it's usually related to an invalid or untrusted certificate. Because the site uses this certificate to identify itself, you can't really know for sure that the server you are connecting to is what it claims to be. If you choose to make a security exception for a site, do so carefully!

The trust here is not based on intent! It isn't rational to attemt to connect to a site you trust, get a message warning you that the site could have been comprimised, and ignore the warning because you intended to connect to a safe site. For example, you could try to visit your banking website, and encounter a security exception where the site was identified with a certificate intended for phishingsite.fakebanking.example.com - you wouldn't trust that cerftificate just because you trust your bank!

edit flag offensive delete link more
2

answered 2015-09-29 12:26:08 -0500

sergiomb gravatar image

updated 2015-11-12 13:34:39 -0500

Yes , but you should install / import the CACert root certificate from cacert.org [1] , to enter in buzilla safely without warnings.

[1] http://www.cacert.org/index.php?id=3

click on http://www.cacert.org/certs/root.crt , check all cases , at least worked on my Firefox.

Reference:

http://lists.rpmfusion.org/pipermail/...

Moreover :

In page age http://rpmfusion.org/ReportingBugs we can read :

You should install CACert root certificate to successfully validate bugzilla's certificate.

UPDATE: Python client - SSL lib - certificate verify failed in F23 (for fedora-review for example)

cd /etc/pki/ca-trust/source/anchors
wget http://www.cacert.org/certs/root.crt
update-ca-trust
edit flag offensive delete link more
2

answered 2015-10-11 15:08:02 -0500

catanzaro gravatar image

TL;DR #1: Do not install the CAcert root certificate as suggested by sergiomb's answer. (Explanation below.)

TL;DR #2: bugzilla.rpmfusion.org is not safe to visit: anyone on the Internet can intercept your connection, record your password or session cookie, and control your RPMFusion Bugzilla user account. I personally would not care if this happened to my RPMFusion Bugzilla account, so I might bypass the warning, but I would never do this on any site that I do trust or care about.

  • The people who have answered "the site is safe" do not understand what this error means: it means you seem to have connected to a different site that is pretending to be bugzilla.rpmfusion.org . Even though your browser's address bar says you're at the right place, there are many ways for attackers to trick your browser into visiting the wrong place. When your browser detects that this could have happened (technically: when it receives an untrusted TLS certificate), it displays a warning page. So it doesn't matter if you trust bugzilla.rpmfusion.org : what matters is that you have no way to know whether you're actually visiting it, or an attacker pretending to be it.
  • To be clear: if you trust the RPMFusion developers, that is not a good reason to skip past this warning. The warning means you seem to have connected to an attacker impersonating bugzilla.rpmfusion.org and not the real bugzilla.rpmfusion.org .
  • You always get this warning on bugzilla.rpmfusion.org , whether there is any attack or not, due to incompetence. They're using a certificate issued by CAcert, which is not considered a reputable CA and not trusted by Fedora (or by Firefox). This means the webmasters are wildly incompetent. It's unfortunate but there's no other words to use for this situation: using CAcert for a public web site is wildly unacceptable, as it guarantees all users will always see this scary error message. The developers should either stop redirecting users to https://bugzilla.rpmfusion.org and completely close port 443, indicating that the browser should not expect any security and should not warn about the problem, or better spend $5 per year to get a trusted certificate.
  • CAcert is not trusted for very good reason. They have yet to pass a security audit. You can search the web for articles about this from both sides of the debate, but the long story short is that no browsers trust them, the only OS that ever trusted them was Debian, and Debian revoked their trust a year or two ago since it seems CAcert is not ever going to complete their audit. There is a lot more to the story than this, but it doesn't matter: what matters is that they're not trusted, and legitimate web sites don't use it.
  • It's not any more or less safe to visit than any site that uses HTTP (which has absolutely no ...
(more)
edit flag offensive delete link more

Comments

CAcert can be not trusted , but if you should install / import the CACert root certificate from cacert.org , and enter in buzilla safely without browsers warnings, it is secure .

sergiomb gravatar imagesergiomb ( 2015-10-12 18:19:07 -0500 )edit

If you don't trust CAcert, you should not import their root certificate....

catanzaro gravatar imagecatanzaro ( 2015-10-12 19:38:35 -0500 )edit

CAcert is free , do you know other certificator that is free for open source ?

sergiomb gravatar imagesergiomb ( 2015-11-07 10:00:53 -0500 )edit

CAcert is free, but worthless, because no browser trusts it. You would be better off not using HTTPS at all, to avoid the error messages your users will get.

You can get free non-worthless certs from StartCom: https://www.startssl.com/?app=1

Or you could try to get into Let's Encrypt https://letsencrypt.org/ which is currently in limited beta, but nearing the end of that phase, and will supposedly begin offering free trusted certs to everyone within the next two weeks. If you need a cert immediately, I'd go with StartCom, otherwise I'd wait for this.

catanzaro gravatar imagecatanzaro ( 2015-11-07 14:35:41 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2014-05-29 17:40:54 -0500

Seen: 538 times

Last updated: Nov 12 '15