#3405 closed defect (fixed)
Site has invalid certificate, causing Firefox to open a warning message when attempting to log on
| Reported by: | mikh43 | Owned by: | team |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | unspecified | Version: | |
| Keywords: | security website certificate invalid site | Cc: |
Description (last modified by )
My firefox rejects the certificate also. It says it's invalid. Sounds like a very serious error, since it compromises JOSM's internet credibility. I also fully trust JOSM and its collaborators, but put yourselves into the place of a new person. He would most certainly get scared about getting such an error. Plus is getting a valid certificate so difficult? I honestly don't know how to get a new one but if my feeble layman's opinion is any worth, I definitely think it's worth to go after a new, valid certificate for the site, for JOSM's reputability sake.
Here is what Firefox's Error Console logged (doesn't seem like it tells a lot about it):
Error: Attempted to connect to a site with a bad certificate in the add exception dialog. This results in a (mostly harmless) exception being thrown. Logged for information purposes only: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE)" nsresult: "0x80004005 (NS_ERROR_FAILURE)" location: "JS frame :: chrome://pippki/content/exceptionDialog.js :: checkCert :: line 163" data: no] Source File: chrome://pippki/content/exceptionDialog.js Line: 171
I am attaching to this ticket the certificate. I tried analyzing it, but honestly it's mostly nonsense for me. A polite guess is that the authority that gave the certificate isn't recognized by Firefox.
By the way, my Firefox version is 6.0
Attachments (1)
Change History (12)
comment:1 by , 16 years ago
| Resolution: | → wontfix |
|---|---|
| Status: | new → closed |
comment:2 by , 16 years ago
OK - I confess I often confuse whether I should be using JOSM or Trac and as I was reporting a bug with JOSM (the gpx non-centre non-zoom on opening one) I automatically logged in to JOSM. If this is unnecessary I guess it is a bit counter-intuitive. Not worried about certificate really - I trust OSM and its friends! I'll leave this closed and only get back if I have further problems after being very careful what I try to log in to!
comment:3 by , 14 years ago
| Component: | Core → unspecified |
|---|---|
| Description: | modified (diff) |
| Keywords: | certificate invalid site added |
| Priority: | critical → major |
| Resolution: | wontfix |
| Status: | closed → reopened |
| Summary: | Security - complete mess → Site has invalid certificate, causing Firefox to open a warning message when attempting to log on |
My firefox rejects the certificate also. It says it's invalid. Sounds like a very serious error, since it compromises JOSM's internet credibility. I also fully trust JOSM and its collaborators, but put yourselves into the place of a new person. He would most certainly get scared about getting such an error. Plus is getting a valid certificate so difficult? I honestly don't know how to get a new one but if my feeble layman's opinion is any worth, I definitely think it's worth to go after a new, valid certificate for the site, for JOSM's reputability sake.
follow-up: 5 comment:4 by , 14 years ago
| Resolution: | → wontfix |
|---|---|
| Status: | reopened → closed |
The certificate is not invalid, it is self-signed. And we can't get any "valid" certificate, as we don't have any money.
comment:5 by , 14 years ago
Replying to stoecker:
The certificate is not invalid, it is self-signed. And we can't get any "valid" certificate, as we don't have any money.
Oh alright, I wasn't aware you had to pay for a 'valid' certificate. I just noticed there is already an info on the homepage regarding this problem. Sorry for unnecessarily reopening this ticket. Maybe we should make this info a little more visible?
comment:6 by , 13 years ago
StartSSL gives out free certs that are accepted in most browsers. Maybe look into that? (Sorry, can't provide a link - spam filter will reject the comment even though the captcha is entered)
comment:7 by , 13 years ago
| Resolution: | wontfix |
|---|---|
| Status: | closed → reopened |
comment:8 by , 13 years ago
| Description: | modified (diff) |
|---|
+1
The download from this page is also effected.
Right now you have to manually download the certificate and place it in proper path to get your downloading software (wget/curl ...) to download from https.
comment:9 by , 13 years ago
Hmm, I don't see a big improvement with StartSSL.
- It works for some browsers, not all
- It will not work for java signing
- I need to update the certificate each year
- It does not improve security at all, rather the opposite
Simply install the JOSM cert. Whenever this one changes before 2019, something is really wrong. I personally have much more trust in this.
comment:10 by , 12 years ago
| Resolution: | → wontfix |
|---|---|
| Status: | reopened → closed |
comment:11 by , 11 years ago
| Resolution: | wontfix → fixed |
|---|
GlobalSign gives free certificates for open source projects, the self-signed certificate is now history :)
It seems you mix something here. JOSM login (i.e. login to the openstreetmap API) is not the same as login to this Trac.
You need not login to enter a bug report into Trac at all, so you also need not care for the certificate.
The certificate for this site is not perfectly valid, but ATM we are unable to change that. There is already a bug report for this problem.
Regarding a new account - When you gave username and password you already have a new account. No more steps are necessary.