Opened 4 years ago
Last modified 14 months ago
#3405 reopened defect
Site has invalid certificate, causing Firefox to open a warning message when attempting to log on
| Reported by: | mikh43 | Owned by: | team |
|---|---|---|---|
| Priority: | major | Component: | unspecified |
| Version: | Keywords: | security website certificate invalid site | |
| Cc: |
Description (last modified by skyper)
My firefox rejects the certificate also. It says it's invalid. Sounds like a very serious error, since it compromises JOSM's internet credibility. I also fully trust JOSM and its collaborators, but put yourselves into the place of a new person. He would most certainly get scared about getting such an error. Plus is getting a valid certificate so difficult? I honestly don't know how to get a new one but if my feeble layman's opinion is any worth, I definitely think it's worth to go after a new, valid certificate for the site, for JOSM's reputability sake.
Here is what Firefox's Error Console logged (doesn't seem like it tells a lot about it):
Error: Attempted to connect to a site with a bad certificate in the add exception dialog. This results in a (mostly harmless) exception being thrown. Logged for information purposes only: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE)" nsresult: "0x80004005 (NS_ERROR_FAILURE)" location: "JS frame :: chrome://pippki/content/exceptionDialog.js :: checkCert :: line 163" data: no] Source File: chrome://pippki/content/exceptionDialog.js Line: 171
I am attaching to this ticket the certificate. I tried analyzing it, but honestly it's mostly nonsense for me. A polite guess is that the authority that gave the certificate isn't recognized by Firefox.
By the way, my Firefox version is 6.0
Attachments (1)
Change History (10)
comment:1 Changed 4 years ago by stoecker
- Resolution set to wontfix
- Status changed from new to closed
comment:2 Changed 4 years ago by mikh43
OK - I confess I often confuse whether I should be using JOSM or Trac and as I was reporting a bug with JOSM (the gpx non-centre non-zoom on opening one) I automatically logged in to JOSM. If this is unnecessary I guess it is a bit counter-intuitive. Not worried about certificate really - I trust OSM and its friends! I'll leave this closed and only get back if I have further problems after being very careful what I try to log in to!
comment:3 Changed 21 months ago by D4RK-L3G10N
- Component changed from Core to unspecified
- Description modified (diff)
- Keywords certificate invalid site added
- Priority changed from critical to major
- Resolution wontfix deleted
- Status changed from closed to reopened
- Summary changed from Security - complete mess to Site has invalid certificate, causing Firefox to open a warning message when attempting to log on
My firefox rejects the certificate also. It says it's invalid. Sounds like a very serious error, since it compromises JOSM's internet credibility. I also fully trust JOSM and its collaborators, but put yourselves into the place of a new person. He would most certainly get scared about getting such an error. Plus is getting a valid certificate so difficult? I honestly don't know how to get a new one but if my feeble layman's opinion is any worth, I definitely think it's worth to go after a new, valid certificate for the site, for JOSM's reputability sake.
comment:4 follow-up: ↓ 5 Changed 21 months ago by stoecker
- Resolution set to wontfix
- Status changed from reopened to closed
The certificate is not invalid, it is self-signed. And we can't get any "valid" certificate, as we don't have any money.
comment:5 in reply to: ↑ 4 Changed 21 months ago by D4RK-L3G10N
Replying to stoecker:
The certificate is not invalid, it is self-signed. And we can't get any "valid" certificate, as we don't have any money.
Oh alright, I wasn't aware you had to pay for a 'valid' certificate. I just noticed there is already an info on the homepage regarding this problem. Sorry for unnecessarily reopening this ticket. Maybe we should make this info a little more visible?
comment:6 Changed 14 months ago by anonymous
StartSSL gives out free certs that are accepted in most browsers. Maybe look into that? (Sorry, can't provide a link - spam filter will reject the comment even though the captcha is entered)
comment:7 Changed 14 months ago by anonymous
- Resolution wontfix deleted
- Status changed from closed to reopened
comment:8 Changed 14 months ago by skyper
- Description modified (diff)
+1
The download from this page is also effected.
Right now you have to manually download the certificate and place it in proper path to get your downloading software (wget/curl ...) to download from https.
comment:9 Changed 14 months ago by stoecker
Hmm, I don't see a big improvement with StartSSL.
- It works for some browsers, not all
- It will not work for java signing
- I need to update the certificate each year
- It does not improve security at all, rather the opposite
Simply install the JOSM cert. Whenever this one changes before 2019, something is really wrong. I personally have much more trust in this.
It seems you mix something here. JOSM login (i.e. login to the openstreetmap API) is not the same as login to this Trac.
You need not login to enter a bug report into Trac at all, so you also need not care for the certificate.
The certificate for this site is not perfectly valid, but ATM we are unable to change that. There is already a bug report for this problem.
Regarding a new account - When you gave username and password you already have a new account. No more steps are necessary.