SSL on gnupg.org
Pete Stephenson
pete at heypete.com
Mon Sep 9 15:58:14 CEST 2013
On Mon, Sep 9, 2013 at 3:19 PM, Werner Koch <wk at gnupg.org> wrote:
> Due to public demand I enabled https for www.gnupg.org on v4 and v6. IT
> is a 2048 bit CaCert certificate, so you need to install the cacert root
> certificate.
Excellent.
> Note also that recent Mozilla browsers tell you in the certificate
> details that they can't verify the certificate because it uses an
> insecure algorithm - which seems to be SHA-1. Now if SHA-1 would be the
> weakest link in the whole web security domain we could easily solve all
> problems. It is just funny how they try to fix a broken infrastructure.
According to https://www.ssllabs.com/ssltest/analyze.html?d=www.gnupg.org&hideResults=on
that's because the CAcert Class 3 intermediate cert was signed using
MD5, which is indeed insecure for such purposes. See
http://www.win.tue.nl/hashclash/rogue-ca/
They have a newer Class 3 intermediate cert at
http://www.cacert.org/index.php?id=3 that is signed by the CAcert root
using SHA256. Simply swapping out the intermediates should solve the
issue.
Personally, I prefer the free certs issued by StartSSL as their root
is installed by default in most systems/browsers. The CAcert root
isn't (yet -- there's a bunch of work needed to be done to get the
CAcert root to pass an audit and be included). Your mileage, of
course, may vary.
--
Pete Stephenson
More information about the Gnupg-users
mailing list