Monthly Archives: August 2008

CAcert event at Drupalcon Szeged 2008

Leave a reply

Logo Drupalcon.org

Drupalcon is the twice-yearly gathering of Drupalers to learn about, discuss and advance Drupal, and to network with other community members. Experience this thriving community in person yourself in Szeged, Hungary!

See the Drupalcon website for more information.

At Drupalcon we’ll have a CAcert event organized by the people from erdfisch. If you need some assuring you’ll find them every day of the conference from 12:45 to 13:15 on the ground floor in the sitting corner near the registration desk.

See the full announcement CAcert event at Drupalcon

CAcert auf der FrOSCon 2008

Leave a reply


Auch dieses Jahr ist CAcert mit einem Informationsstand auf der FrOSCon vertreten (Sankt Augustin 23.- 24.08.2008). Interressierte, Assurer und welche, die es werden möchten sind herzlichst dazu eingeladen den Stand zu besuchen und sich ggf. vorher unter http://wiki.cacert.org/wiki/FrOSCon2008 einzutragen um den Platz entsprechend bereit zu halten.
Die FrOSCon bietet auch dieses Jahr wieder eine große Auswahl an Themen aus dem Bereich Freier Software und Open Source. Das Programm ist online unter http://programm.froscon.de abrufbar.

Vulnerability Note, 14th of August 2008

Leave a reply

CAcert certificate issuance with unverified arbitratry email addresses

Overview
The CAcert issuance of certificates had a vulnerability that permitted an attacker to add arbitrary email addresses without verification.

I Description
Issuance of certificates is by means of login to a webpage by Members. After authenticating the Member, she is offered a choice of certificates, with a choice of pre-verified email addresses.
In the POST response to that choice, there is insufficient checking on the paramaters supplied, and it is possible to add multiple additional email addresses that are not pre-verified.

The specific failure is use of register_globals and insufficient paramater testing.

II. Impact
A Member may add email addresses from a limited range of TLDs (Japan only has been verified).

III. Solution
The paramater checking has been fixed. Register_globals is now turned off in the test system to explore side effects. Operational software will follow
soon.

Systems Affected
Only Japan TLD addresses may have been affected. There is no indication that any prior issued certificates with Japan TLD email addresses are other than valid.

This is a Member-reliance issue only. Any disputes will be filed in CAcert’s internal Arbitration forum.

Vendor Status Date Updated
CAcert Fixed 14th of August 2008

References
bug report
Kriss his blog

Credit
CAcert credits Kriss Andsten for reporting this issue.

CAcert, Teus Hagen

Assuring Party @ DebConf8, Argentina.

Leave a reply 
A new CAcert Assuring Party will take place at DebConf8 in Mar del Plata,  Argentina, right next to the Keysigning Party[1], during this Thursday.
To obtain assurance at the event:
  1. Login to the CAcert site and click the "CAcert Web of Trust" menu and then click on one of the WoT forms.
  2. Print that form out, verify that it has complete and accurate information
  3. Bring it and 2 forms of government issued photo identification (one will be accepted, but two are preferred in case of document validity doubts).
Please also read over the following pages:http://wiki.cacert.org/wiki/FAQ/AssuranceIntroduction and http://wiki.cacert.org/wiki/FAQ/AssuranceByCAP.
There are some printers you can use to print forms at DebConf FrontDesk on the ground floor of the "Hotel Dora".

See you in there!