Page 2 of 2

Re: Unknown Certificate for commercial SSL certificate

Posted: 2013-09-07 13:15
by boco
Making the website SSL doesn't have anything to do with this. Websites are served over HTTP/HTTPS.

Re: Unknown Certificate for commercial SSL certificate

Posted: 2013-11-04 23:00
by stevenpage1
well i suppose the idea behind using the certificate store is that it is a cross platform industry standard which lists known Trusted Authorities. most people do not have the time or understanding to compare the fingerprints on the actual certificate, therefore, the certificate store provides a means of deterrence.

hackers can spoof connections and build their own certificate to emulate the connection and therefore it will not be signed by a trusted root and raise the red flag. commonplace the redflag IS the "trust this certificate?" windows. this is exactly WHY self signed certs raise a red flag on the web browser.

the certificate store is usually locked to your root user on linux and the administrator on windows. it can be queried using the file system on *nix and using the registry or the win32 API / .Net Framework on Windows.

having to accept the certificate due to the fact it is not compared to anything first does not actually make it more secure, it makes it Less secure, because most users will be used to seeing the message and will click accept to just make it go away, without first inspecting it.

this "feature" should be removed, or rather, support for checking the certificate store should be implemented.

Re: Unknown Certificate for commercial SSL certificate

Posted: 2016-08-29 11:35
by Tozz
I can only agree with stevenpage1. The need to accept every 'correct' certificate is madness. Filezilla should use the trusted authorities from the underlying OS. Regular users dont understand the warning.

As an ISP we have actually disabled SSL on our FTP servers due to the many many complaints from users using FileZilla. We now actually get compliments that we are one of the few ISPs that work with FileZilla, while we actually just degraded security.

This is just stupid. Indeed, what stevenpage1 has also said: This does not increase security. This will cause users to click accept on every certificate popup they encounter, regardless if it is legitimate or not.

Re: Unknown Certificate for commercial SSL certificate

Posted: 2016-11-22 10:11
by BlurpDelta
That's the whole idea of system-wide trusted CA store so we don't have to damn verify each single certificate by hand in each different application. If you'd don't trust given root CA you can remove it from system store. Alternative solution is having list of trusted root within application, like it's done in Firefox - but we still can add or remove given root CA (either external, or company internal) when we need to do so.

But what's done in FileZilla is not trusting any CA at all (no system list, no built-in list), which leads to users accepting every crap certificate that FileZilla presents to them via Unknown Certificate popup, because they won't bother to look at the popup that's displayed for both valid (signed by trusted CA) or rogue (signed by rogue CA) certificates.

Just imagine web browsers acting like that, displaying "Unknown Certificate" for every site. Users would simply start accepting every rogue certificate, because they couldn't reliably distinguish valid one from invalid one, if you ask them to do that by hand. PC can do X.509 chain validation (signatures, SAN, time ranges, revocation status via CRL/OCSP, etc.) in fraction of seconds. Find me ONE human user that will do all those checks when presented "Unknown Certificate" popup. Sorry Tim, but this philosophy looks like pure security theater to me.

Re: Unknown Certificate for commercial SSL certificate

Posted: 2016-12-02 19:08
by rscatumich
I'm another person perplexed by FileZilla's reluctant approach to validating the SSL Certificate Chain against a Certificate Authority repository.

I understand the maintenance issues - you're faced with either using the OS's built-in CA trust scheme (which might be different on Windows, OS/X, and *nix), or you have to maintain your own list of trusted CAs and distribute it (like Mozilla/Firefox does.)

Either do it right or don't do it at all. This half-way approach is pretty bad.

As for my needs, I'm looking to recommend a FTPS client capable of downloading hundreds of files with a simple click-and-go, containing hundreds of gigabytes of data to a population of a thousand or more end-users on Windows, Macs, and various Linux platforms. These are often research ASSISTANTS who are extremely capable within their own specialty but are either going to freak out over the security warning, or don't have a budget for commercial solutions.

Re: Unknown Certificate for commercial SSL certificate

Posted: 2017-08-10 17:37
by glenara
I was surprised to see that the error message didn't disappear after adding my CA signed cert.

Thank you botg for all your hard work and dedication to the success of FileZilla but you have to admin that signed certs shouldn't produce this type of warning.
It would be like creating a custom browser that throws a security warning every time you visit a secure site.
It defeats the purpose of having a CA signed cert.

Are there any developers here that understand the Browser Certificate Store that could contribute this portion to botg's FileZilla?
I would if I could.

Glen

Re: Unknown Certificate for commercial SSL certificate

Posted: 2017-08-11 00:21
by boco
FileZilla follows the TOFU model of trust. There just isn't any certificate whitelist that is trusted by default. You, as the user, select what to trust. Once that decision is stored, FileZilla won't ask again for that connection (until the cert expires).

FileZilla doesn't trust commercial certificates any more than the self-signed ones. If you let the terribly flawed CA model of trust (which attempts to build trust on money, which is nonsense) aside, both can be equally trusted (or not). You decide after verifying their authenticity.

Re: Unknown Certificate for commercial SSL certificate

Posted: 2017-08-12 23:39
by xeon
boco wrote:FileZilla follows the TOFU model of trust. There just isn't any certificate whitelist that is trusted by default. You, as the user, select what to trust. Once that decision is stored, FileZilla won't ask again for that connection (until the cert expires).

FileZilla doesn't trust commercial certificates any more than the self-signed ones. If you let the terribly flawed CA model of trust (which attempts to build trust on money, which is nonsense) aside, both can be equally trusted (or not). You decide after verifying their authenticity.
There are free options out there, Let's Encrypt for example.

Which do you think is more likely to happen? Some CA misissuing a certificate (rare and easily detectable these days) or a user blindly clicking past the cert verification screen? Only someone living in a fantasy world would expect every user to know the correct fingerprint of the certificate they're about to accept. I haven't seen a single hosting provider that provides this information anywhere and it's just not a realistic expectation to have for what are often times, non-tech savvy users doing this level of manual validation.