Home Home > 2011 > 04 > 07 > Invalid SSL certificate on some opensuse.org services
Sign up | Login

Invalid SSL certificate on some opensuse.org services

April 7th, 2011 by

Update from 14:30 UTC: The problem is solved.

We want to let you know that we are aware about an invalid SSL certificate on some of our servers behind the https protocol. This is the case most of the time at least between 04:00 until 11:00 CET today.

We took down some of our services temporarily after getting aware of this. Affected services were

  • build.opensuse.org
  • api.opensuse.org
  • hermes.opensuse.org
  • notify.opensuse.org
  • connect.opensuse.org
  • features.opensuse.org

The issue is reported to our service provider maintaining the proxy who delivers this certificate.

I hope everybody of you will continue not to trust invalid certifications for our services. It can always be a man-in-the-middle-attack and especially when submitting passwords or sensitive data like source code it is not acceptable. So please continue to miss-trust invalid certificates on our servers.

Sorry

Both comments and pings are currently closed.

  • Posted: 2011-04-07 - 09:09
  • Author: Adrian Schröter
  • Feed: RSS 2.0

«
»

5 Responses to “Invalid SSL certificate on some opensuse.org services”

  1. olaf
    April 7, 2011 at 09:20 |

    Speaking of possible man-in-the-middle attacks: Do you know whether there are any plans to show the fingerprints of the Buildservive-Repositories on a https-protected page? Currently we just have to hit “Accept” when adding repositories, without being able to check the fingerprint.

  2. Martin
    April 7, 2011 at 10:45 |

    Too late…
    I already accepted the certificate permanently.
    All of this SSL-Cerificate-Stuff is difficult to understand and to handle for host-/webmaster as well as for browser- or email-users. Thus it’s “secure” but not save.

    What is the suggested behavior for inexperienced users on invalid certificates?
    - Search for Fingerprints and compare.
    - Just don’t use the service anymore.
    - White an email to the hostmaster.
    Or:
    - Just click on “Accept” and forget.

    Why does a browser provide the latter one option at all, when it’s not save?

    • Ammler
      April 7, 2011 at 14:07 |

      [quote=Martin]
      Why does a browser provide the latter one option at all, when it’s not save?
      [/quote]

      If you accept a cert, you usually are sure, it is ok to trust it, you read the cert infos, you are aware, it is a cert wihtout CA in back.

      But you do not install/accept a cert from a serious organisation like openSUSE.

      • Ammler
        April 7, 2011 at 14:08 |

        and if the cert changes, you will again get notified…

        (This all isn’t needed with a trust CA verified cert.)

  3. the_speller
    April 7, 2011 at 13:13 |

    Has nothing to do with missing (in the sense of “going past”) trust – hence: mistrust.