Category Archives: News

News Relating to CAcert

FrOSCon 2011 in St. Augustin 20./21. August 2011

Leave a reply

For the English version see below.

Auch in diesem Jahr wird CAcert wieder auf der FrOSCon am 20. und 21. August in St. Augustin mit einem Stand vertreten sein.
Des Weiteren wird es in Zusammenarbeit mit OpenOffice einen Vortrag zum Thema “Signieren von OpenOffice-Dokumenten” geben.
Sprecht uns auf dem Stand an, um zu erfahren, welche Aktivitäten zur Zeit bei CAcert durchgeführt und geplant sind.
Mehr unter http://wiki.cacert.org/events/FrOSCon2011

English
CAcert will be present again with a booth on the FrOSCon in St. Augustin 20th/21st August.
Further more there will be a speech about “Signing of OpenOffice documents” together with OenOffice.
Feel free to come along and ask us what CAcert is doing at the moment and what are the plans for the near future. More see http://wiki.cacert.org/events/FrOSCon2011

Certificates for weak keys revoked

2 Replies

If you received email today stating that one or more of your certificates was revoked than this action was initiated by CAcert. See the announcement on the blog.

For more background information see the Arbitration page and Hanno Böck’s blog post.

A short summary, some certificates were found for private keys which could easily be cracked because of one of the following reasons:

  • Their modulus size is small (y 1024 bits) and therefore quickly be “brute forced” with usual desktop computers.
  • They use an small exponent which is vulnerable to well known cryptographic attacks
  • They used a key generated by a buggy debian system (see Debian Vulnerability).

The CAcert web page has now been modified not to accept such weak keys for certificates in the future.

We wish to thank Hanno Böck for notifying us of this problem and giving us enough time to fix it before publishing it.

Software Testers Reward Challenge – Your last chance …

Leave a reply

The Software-Testers Reward Challenge 2011 is now running the last two days. So its your last chance to climb into the hall of fame.

The Software-Testers Reward Challenge will end Thursday, June 30th at midnight.

The software tester with the highest count of reports written related to the listed bugs under the Tester Portal receives a reward of 30 Euro. The 2nd one a reward of 15 Euro.

Each report under the listed bug numbers counts 🙂

Since Tuesday we have at least two new bugs added to the testserver that you can start testing:

  • Bug #942
    0000942: CATS import interface is not fit to handle non-Assurer Challenge tests
  • Bug #948
    0000948: Email address verification violates SMTP protocol
  • For Bug #827
    there is addtl. info available under wiki bug827 infos

Happy testing

CAcert fixes potential security problem

Leave a reply

You may have received an automated mail by CAcert today or yesterday evening, stating that one or more of your certificates are unsafe and will be revoked soon.

I don’t want to go into more technical details before the relevant certificates have been revoked, if you received one of those mails some technical details are included there. Please do not use the listed certificates any more and replace them with newly issued ones as soon as possible.

New signatures for CAcert-Class 3-Subroot-certificate

3 Replies

New signatures for CAcert-Class 3-Subroot-certificate – Changes for users of CAcert-Certificates
(english version, german see below)

CAcert re-signs its Class 3-certificate with a new SHA256 signature. The formerly used MD5 signature is not seen as fully secure any more by Mozilla and is therefore deprecated. Mozilla is going to drop support for MD5-signed Class 3-subroot and end-entity certificates after 30th June. Users of Mozilla products like Firefox, and Thunderbird may experience errors when these programs try to verify such certificates.

Hence webmasters, as well as users of CAcert’s Class 3-certificates, have to download and install the newly signed certificates from CAcert’s website. The same procedure applies if the Class 3-certificate is used for secure e-mail communication, for code signing, or for document signing.

The procedure in short:
1. Download the new Class 3 PKI Key from http://www.cacert.org/index.php?id=3

2. Either install it directly in your browser, or any other client program you use the certificate for, or save it to the SSL configuration directory of your webserver. For Apache this may be: /etc/apache2/ssl/class3.crt (PEM-Format)

3. Verify the SHA1-fingerprint of the downloaded certificate:
AD:7C:3F:64:FC:44:39:FE:F4:E9:0B:E8:F4:7C:6C:FA:8A:AD:FD:CE
Example Commandline: openssl x509 -fingerprint -noout -in class3.crt
Or look at the fingerprint when importing the certificate into the webbrowser

4. Webmaster now re-create the necessary hash with c_rehash, or the like

By using the safe SHA256-hash CAcert is focussing on securing the internet on a continuing basis. Further information is given on CAcert’s Wiki page.

-+-

Neue Signaturen für CAcert-Class 3-Subroot-Zertifikat – Änderungen für Nutzer von CAcert-Zertifikaten

CAcert signiert sein Class 3-Subroot-Zertifikat neu mit einer SHA256-Signatur. Die bisherige von CAcert genutzte MD5-Signatur wird von Mozilla als nicht mehr ausreichend sicher angesehen. Mozilla wird deshalb MD5-signierte Class 3-Subroot- und End-Zertifikate nach dem 30. Juni nicht mehr unterstützten. Benutzer etwa von Firefox und Thunderbird können nach diesem Tag einen Fehler beim Prüfen MD5-signierter Zertifikate erhalten.

Webmaster wie Webbenutzer müssen daher, wenn sie das Class 3-Subroot-Zertifikat verwenden, dieses neu von der CAcert-Webseite herunterladen und installieren. Gleiches ist erforderlich bei Verwendung der Class 3-Zertifikate für sichere E-Mail-Kommunikation, zur Code-Signierung oder zum Unterzeichnen von Dokumenten.

Der Ablauf in Kurzform:
1. Den neuen Class 3 PKI Key von http://www.cacert.org/index.php?id=3 herunterladen

2. Je nach Anforderung entweder direkt im Browser bzw. anderen, benutzten Programmen installieren oder in das SSL-Konfigurationsverzeichnis des Webservers ablegen. Für Apache zum Beispiel: /etc/apache2/ssl/class3.crt (PEM-Format)

3. Den SHA1-Fingerabdruck des heruntergeladenen Zertifikats prüfen:
AD:7C:3F:64:FC:44:39:FE:F4:E9:0B:E8:F4:7C:6C:FA:8A:AD:FD:CE
Beispiel Kommandozeile: openssl x509 -fingerprint -noout -in class3.crt
Oder im Web-Browser Anzeige des Fingerprints beim Zertifikatsimport

4. Webmaster erzeugen dann den erforderlichen Hash mit c_rehash oder ähnlichen Programmen neu

Durch den nun verwendeten SHA256-Hash investiert CAcert weiter in ein sicheres Internet. Weitere Informationen befinden sich im CAcert-Wiki.

svn.cacert.org on new host with client certificate authentication now!

Leave a reply

Today I finished the migration of svn.cacert.org to a LXC container on our new infrastructure machine. The container is running on Debian Squeeze and supports some nice new features:

Read only access is provided via http://svn.cacert.org/ as it was before.

Besides allowing client certificate authentication for our Subversion repository this is a big step forward as we now have a modern infrastructure machine with a recent operating system distribution.

If you already have a SVN account on svn.cacert.org and want to use the client certificate authentication feature please send a mail to svn-admin (at) cacert (dot) org.

Easter Egg Challenge 2011

Leave a reply

Easter Egg
We’ve just started our this years Easter Egg Challenge … We’ve put a couple of patches on to our testserver CACERT1 for you, our fellow and our new Software testers. We’ve put light to heavy patches to the package so everybody is able to walk thru the testserver web pages and search our Easter Egg’s.
Continue reading