project-navigation
Personal tools

Author Topic: Security certificate?  (Read 3221 times)

Offline keybounce

  • Sergeant
  • *****
  • Posts: 330
    • View Profile
Security certificate?
« on: September 17, 2009, 07:31:13 pm »
Mac os 10.5.8. Ppc.

stbmac:trunk Michael$ svn up
Error validating server certificate for 'https://ufoai.svn.sourceforge.net:443':
 - The certificate is not issued by a trusted authority. Use the
   fingerprint to validate the certificate manually!
Certificate information:
 - Hostname: *.svn.sourceforge.net
 - Valid: from Nov 11 20:25:27 2008 GMT until Jan 11 20:25:27 2010 GMT
 - Issuer: Equifax Secure Certificate Authority, Equifax, US
 - Fingerprint: 04:b2:70:e9:ba:cf:70:fc:e8:8a:22:86:14:13:51:97:1b:6a:de:38
(R)eject, accept (t)emporarily or accept (p)ermanently? t

Is this the correct/expected behavior?

stbmac:trunk Michael$ svn --version
svn, version 1.4.4 (r25188)
   compiled Jun 15 2007, 09:34:00

Offline Catty Nebulart

  • Rookie
  • ***
  • Posts: 17
    • View Profile
Re: Security certificate?
« Reply #1 on: September 19, 2009, 04:09:21 am »
Yes it means this ssh host is not yet known. basicly it's asking you if the host with that key is really the one you want to connect to.

This is to prevent man in the middle attacks, so that as long this time your communications are not being intercepted it can make sure when you contact the same host in the future without being redirected elsewhere.

Offline keybounce

  • Sergeant
  • *****
  • Posts: 330
    • View Profile
Re: Security certificate?
« Reply #2 on: September 21, 2009, 09:16:09 pm »
That much I know. That isn't the issue.

The key is listed as not being issued by a trusted authority. So anyone could have created a key; the point of the trusted certificate roots is that you don't have to verify every key you use, someone who has (in theory) pockets and could be sued for issuing invalid certificates has issued them.

I expected someone that knows the web site to come back and say, "Yes, I know that that is the correct finger print". I expected something like "I don't know why it says untrusted authority; we got the key from Equifax, and there's no error on my system". I don't know if the key is valid, and (A: My system's list of roots is bad, or B: it's from a new division of Equifax that hasn't gotten into the list of trusted roots yet), the key is valid but issued by someone that the web admins thought was equifax but wasn't, there is some massive MITM attack going on, or what.

Now, in reality, bad certificates have been issued in large numbers. No one is sueable for "Well, I thought this was a valid royalty certificate for Nigeria". You can't trust an SSL certificate to guarantee that the entity at the other end is who you think. And given the flaws in SSL that came to light recently (as well as last year's DNS flaws), you can't even be sure about no man-in-the-middle or eavesdroppers without a brand new certificate dated later; that still requires that you know that no one has duplicated the certificate authority's md5-hash and has a bogus CA key. (All of those are real, known flaws, starting with Dan's DNS flaw.)


Offline Catty Nebulart

  • Rookie
  • ***
  • Posts: 17
    • View Profile
Re: Security certificate?
« Reply #3 on: September 22, 2009, 04:04:08 am »
It's the sourceforge key though, or at least that is what it looks like (*.svn.sourceforge). I think you should be asking them the question, rather than ask it here. i have not been having any key issues but then i use the sourceforge svn regularly, so i probably just added it to my trusted keys a year or more ago and forgotten about it.

Offline Destructavator

  • Combination Multiple Specialty Developer
  • Administrator
  • PHALANX Commander
  • *****
  • Posts: 1908
  • Creater of Scorchcrafter, knows the zarakites...
    • View Profile
Re: Security certificate?
« Reply #4 on: September 22, 2009, 04:24:29 am »
I've experienced a very similar issue, close to the same message, on Linux if I download the game for the first time since re-installing Linux.

I wouldn't worry about it.