Unknown Certificate for commercial SSL certificate

Need help with FileZilla Client? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Message
Author
User avatar
boco
Contributor
Posts: 24312
Joined: 2006-05-01 03:28
Location: Germany

Re: Unknown Certificate for commercial SSL certificate

#16 Post by boco » 2013-09-07 13:15

Making the website SSL doesn't have anything to do with this. Websites are served over HTTP/HTTPS.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
All FileZilla products fully support IPv6. http://worldipv6launch.org
### END SIGNATURE BLOCK ###

stevenpage1
500 Command not understood
Posts: 1
Joined: 2013-11-04 22:51
First name: steven
Last name: page

Re: Unknown Certificate for commercial SSL certificate

#17 Post by stevenpage1 » 2013-11-04 23:00

well i suppose the idea behind using the certificate store is that it is a cross platform industry standard which lists known Trusted Authorities. most people do not have the time or understanding to compare the fingerprints on the actual certificate, therefore, the certificate store provides a means of deterrence.

hackers can spoof connections and build their own certificate to emulate the connection and therefore it will not be signed by a trusted root and raise the red flag. commonplace the redflag IS the "trust this certificate?" windows. this is exactly WHY self signed certs raise a red flag on the web browser.

the certificate store is usually locked to your root user on linux and the administrator on windows. it can be queried using the file system on *nix and using the registry or the win32 API / .Net Framework on Windows.

having to accept the certificate due to the fact it is not compared to anything first does not actually make it more secure, it makes it Less secure, because most users will be used to seeing the message and will click accept to just make it go away, without first inspecting it.

this "feature" should be removed, or rather, support for checking the certificate store should be implemented.

Tozz
500 Command not understood
Posts: 1
Joined: 2016-08-29 11:28

Re: Unknown Certificate for commercial SSL certificate

#18 Post by Tozz » 2016-08-29 11:35

I can only agree with stevenpage1. The need to accept every 'correct' certificate is madness. Filezilla should use the trusted authorities from the underlying OS. Regular users dont understand the warning.

As an ISP we have actually disabled SSL on our FTP servers due to the many many complaints from users using FileZilla. We now actually get compliments that we are one of the few ISPs that work with FileZilla, while we actually just degraded security.

This is just stupid. Indeed, what stevenpage1 has also said: This does not increase security. This will cause users to click accept on every certificate popup they encounter, regardless if it is legitimate or not.

BlurpDelta
500 Command not understood
Posts: 1
Joined: 2016-11-22 09:49

Re: Unknown Certificate for commercial SSL certificate

#19 Post by BlurpDelta » 2016-11-22 10:11

That's the whole idea of system-wide trusted CA store so we don't have to damn verify each single certificate by hand in each different application. If you'd don't trust given root CA you can remove it from system store. Alternative solution is having list of trusted root within application, like it's done in Firefox - but we still can add or remove given root CA (either external, or company internal) when we need to do so.

But what's done in FileZilla is not trusting any CA at all (no system list, no built-in list), which leads to users accepting every crap certificate that FileZilla presents to them via Unknown Certificate popup, because they won't bother to look at the popup that's displayed for both valid (signed by trusted CA) or rogue (signed by rogue CA) certificates.

Just imagine web browsers acting like that, displaying "Unknown Certificate" for every site. Users would simply start accepting every rogue certificate, because they couldn't reliably distinguish valid one from invalid one, if you ask them to do that by hand. PC can do X.509 chain validation (signatures, SAN, time ranges, revocation status via CRL/OCSP, etc.) in fraction of seconds. Find me ONE human user that will do all those checks when presented "Unknown Certificate" popup. Sorry Tim, but this philosophy looks like pure security theater to me.

rscatumich
500 Command not understood
Posts: 1
Joined: 2016-12-02 18:40
First name: Richard
Last name: Conto

Re: Unknown Certificate for commercial SSL certificate

#20 Post by rscatumich » 2016-12-02 19:08

I'm another person perplexed by FileZilla's reluctant approach to validating the SSL Certificate Chain against a Certificate Authority repository.

I understand the maintenance issues - you're faced with either using the OS's built-in CA trust scheme (which might be different on Windows, OS/X, and *nix), or you have to maintain your own list of trusted CAs and distribute it (like Mozilla/Firefox does.)

Either do it right or don't do it at all. This half-way approach is pretty bad.

As for my needs, I'm looking to recommend a FTPS client capable of downloading hundreds of files with a simple click-and-go, containing hundreds of gigabytes of data to a population of a thousand or more end-users on Windows, Macs, and various Linux platforms. These are often research ASSISTANTS who are extremely capable within their own specialty but are either going to freak out over the security warning, or don't have a budget for commercial solutions.

glenara
504 Command not implemented
Posts: 6
Joined: 2004-07-16 18:33
First name: Glen
Last name: Arason
Location: Edmonton, Alberta, Canada
Contact:

Re: Unknown Certificate for commercial SSL certificate

#21 Post by glenara » 2017-08-10 17:37

I was surprised to see that the error message didn't disappear after adding my CA signed cert.

Thank you botg for all your hard work and dedication to the success of FileZilla but you have to admin that signed certs shouldn't produce this type of warning.
It would be like creating a custom browser that throws a security warning every time you visit a secure site.
It defeats the purpose of having a CA signed cert.

Are there any developers here that understand the Browser Certificate Store that could contribute this portion to botg's FileZilla?
I would if I could.

Glen

User avatar
boco
Contributor
Posts: 24312
Joined: 2006-05-01 03:28
Location: Germany

Re: Unknown Certificate for commercial SSL certificate

#22 Post by boco » 2017-08-11 00:21

FileZilla follows the TOFU model of trust. There just isn't any certificate whitelist that is trusted by default. You, as the user, select what to trust. Once that decision is stored, FileZilla won't ask again for that connection (until the cert expires).

FileZilla doesn't trust commercial certificates any more than the self-signed ones. If you let the terribly flawed CA model of trust (which attempts to build trust on money, which is nonsense) aside, both can be equally trusted (or not). You decide after verifying their authenticity.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
All FileZilla products fully support IPv6. http://worldipv6launch.org
### END SIGNATURE BLOCK ###

xeon
226 Transfer OK
Posts: 122
Joined: 2009-08-19 03:18

Re: Unknown Certificate for commercial SSL certificate

#23 Post by xeon » 2017-08-12 23:39

boco wrote:FileZilla follows the TOFU model of trust. There just isn't any certificate whitelist that is trusted by default. You, as the user, select what to trust. Once that decision is stored, FileZilla won't ask again for that connection (until the cert expires).

FileZilla doesn't trust commercial certificates any more than the self-signed ones. If you let the terribly flawed CA model of trust (which attempts to build trust on money, which is nonsense) aside, both can be equally trusted (or not). You decide after verifying their authenticity.
There are free options out there, Let's Encrypt for example.

Which do you think is more likely to happen? Some CA misissuing a certificate (rare and easily detectable these days) or a user blindly clicking past the cert verification screen? Only someone living in a fantasy world would expect every user to know the correct fingerprint of the certificate they're about to accept. I haven't seen a single hosting provider that provides this information anywhere and it's just not a realistic expectation to have for what are often times, non-tech savvy users doing this level of manual validation.

Post Reply