-
-
Notifications
You must be signed in to change notification settings - Fork 251
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Describe better ways for certificate validation, mention Let's Encrypt and Certificate Transparency at the Riseup CA page #520
Comments
kardan <notifications@github.com> writes:
time is an ass, it obsoleted https://riseup.net/certificates/riseup-signed-certificate-fingerprints.txt in may 2018. Next time Riseup's Let's Encrypt certificate will be renewed in August 2018. Please update your signed message at your own comfort.
Stated fingerprint: ab1757631d84ba6f77cc0784fcbdccedd6268c217dbe625d53aa976d1de74123
Actual fingerprint: 82:48:A4:CD:FB:9B:9B:50:0F:CC:ED:7E:0F:A7:39:8E:10:F6:C8:9F:F4:5C:13:A2:E3:5F:3A:EF:B3:CA:4F:48
on which site do you see this fingerprint?
note the NOTE in the text:
!!!
NOTE: Certificates for help.riseup.net, riseup.net and www.riseup.net are
auto-renewed Let's Encrypt certificates. They are renewed approximately 3
months and we do not list their fingerprints here
!!!
|
Update: it is the same shown in the browser for riseup.net https://share.riseup.net/#QpAHIoby7ek-9aTxHTLSbQ I am not sure if this is the correct way to do it, but these are the commands I used:
|
kardan <notifications@github.com> writes:
I am not sure if this is the correct way to do it, but these are the commands I used:
$ openssl x509 -fingerprint -sha256 -noout -in Riseup.crt
the question I'm asking is - where do you get Riseup.crt from?
|
via
or
|
kardan <notifications@github.com> writes:
via
I mean where did you get the file Riseup.crt.
|
it's created by openssl directly from riseup.net: |
kardan <notifications@github.com> writes:
it's created by openssl directly from riseup.net:
`openssl s_client -servername riseup.net -connect riseup.net:443 </dev/null > Riseup.crt`
oooh, ok, I misunderstood. We do have a cert called "Riseup.crt" which
is for the red vpn, so I thought maybe you were referring to that.
but... this is where that note on the cert verification page is important:
NOTE: Certificates for help.riseup.net, riseup.net and www.riseup.net are
auto-renewed Let's Encrypt certificates. They are renewed approximately 3
months and we do not list their fingerprints here
this cert you are getting with openssl is the riseup.net one, which is a
lets encrypt certificate, which we are not listing fingerprints for. The
listed fingerprints are for the other domains.
|
thanks, that clears my head .. a bit. I still have trouble to understand the whole, also in respect to the help pages https://riseup.net/certificates and https://riseup.net/en/security/network-security/riseup-ca because the statement is a bit confusing - for me.
According to below tests the sha256 sums for
I am happy with *.riseup.net referring to only some of them, however the actual fingerprint for riseup.net clearly contradicts the statement.
I have to admit I am not aware what the
Now riseup.net, www.riseup.net, help.riseup.net appear as identical. Excuse me, but I claim no user will take anything from it, especially no confidence for security. Can we replace the instructions to verify the certificate fingerprint with something like:
But there seems to be no way to automatically compare it. Please correct me. |
time is an ass, it obsoleted https://riseup.net/certificates/riseup-signed-certificate-fingerprints.txt in may 2018. Next time Riseup's Let's Encrypt certificate will be renewed in August 2018. Please update your signed message at your own comfort.
Stated fingerprint: ab1757631d84ba6f77cc0784fcbdccedd6268c217dbe625d53aa976d1de74123
Actual fingerprint: 82:48:A4:CD:FB:9B:9B:50:0F:CC:ED:7E:0F:A7:39:8E:10:F6:C8:9F:F4:5C:13:A2:E3:5F:3A:EF:B3:CA:4F:48
I would do it myself, but unfortunately I have no access to the treasurers private key.
Thanks and have a good day!
The text was updated successfully, but these errors were encountered: