You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by "Jimmy Kaplowitz (JIRA)" <ji...@apache.org> on 2011/09/01 00:27:14 UTC
[jira] [Created] (DIRSTUDIO-741) Update site has self-signed cert
that expired months before the 1.5.3 release
Update site has self-signed cert that expired months before the 1.5.3 release
-----------------------------------------------------------------------------
Key: DIRSTUDIO-741
URL: https://issues.apache.org/jira/browse/DIRSTUDIO-741
Project: Directory Studio
Issue Type: Bug
Components: studio-updatesite
Reporter: Jimmy Kaplowitz
Hi,
I was just trying to install Apache Directory Studio 1.5.3 from within Eclipse 3.7. It's saying that the certificate signing the software (or maybe the update site) is both self-signed and expired in January 2010. This is a bit more worrying than even having no certificate, since the 1.5.3 release is from April 2010, and I'm kind of puzzled that it was signed with a certificate that was already several months out of date when the release was made, in addition to being self-signed. I'm also trying this more than a year after the 1.5.3 release occurred, so the fact that the situation remains as I've described is quite worrying from the perspective of having security issues noticed and addressed in a timely fashion.
There are many valid ways to handle the issue of code signing, including deciding that it's not useful security to do it at all, making an Apache-specific certificate authority, or paying for a commercial certificate as is done for the *.apache.org HTTPS web sites. The current situation with the Eclipse update site encourages false guarantees of security and, if Apache's users are taught to ignore such warnings, exposes them to man-in-the-middle or other malicious attacks when they think they are being protected by the security reputation of the Apache Software Foundation.
The time estimate I have given is assuming you decide to generate some new certificate by whatever commercial or non-commercial method, and may include the time to deal with a vendor and/or rebuild the software. If you simply decide to switch your repository to unsigned, my estimate will probably be too large.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (DIRSTUDIO-741) Update site has self-signed cert
that expired months before the 1.5.3 release
Posted by "Pierre-Arnaud Marcelot (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSTUDIO-741?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Pierre-Arnaud Marcelot updated DIRSTUDIO-741:
---------------------------------------------
Affects Version/s: 1.5.3
Fix Version/s: 2.0.0
Assignee: Pierre-Arnaud Marcelot
> Update site has self-signed cert that expired months before the 1.5.3 release
> -----------------------------------------------------------------------------
>
> Key: DIRSTUDIO-741
> URL: https://issues.apache.org/jira/browse/DIRSTUDIO-741
> Project: Directory Studio
> Issue Type: Bug
> Components: studio-updatesite
> Affects Versions: 1.5.3
> Reporter: Jimmy Kaplowitz
> Assignee: Pierre-Arnaud Marcelot
> Labels: security
> Fix For: 2.0.0
>
> Original Estimate: 2h
> Remaining Estimate: 2h
>
> Hi,
> I was just trying to install Apache Directory Studio 1.5.3 from within Eclipse 3.7. It's saying that the certificate signing the software (or maybe the update site) is both self-signed and expired in January 2010. This is a bit more worrying than even having no certificate, since the 1.5.3 release is from April 2010, and I'm kind of puzzled that it was signed with a certificate that was already several months out of date when the release was made, in addition to being self-signed. I'm also trying this more than a year after the 1.5.3 release occurred, so the fact that the situation remains as I've described is quite worrying from the perspective of having security issues noticed and addressed in a timely fashion.
> There are many valid ways to handle the issue of code signing, including deciding that it's not useful security to do it at all, making an Apache-specific certificate authority, or paying for a commercial certificate as is done for the *.apache.org HTTPS web sites. The current situation with the Eclipse update site encourages false guarantees of security and, if Apache's users are taught to ignore such warnings, exposes them to man-in-the-middle or other malicious attacks when they think they are being protected by the security reputation of the Apache Software Foundation.
> The time estimate I have given is assuming you decide to generate some new certificate by whatever commercial or non-commercial method, and may include the time to deal with a vendor and/or rebuild the software. If you simply decide to switch your repository to unsigned, my estimate will probably be too large.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Reopened] (DIRSTUDIO-741) Update site has self-signed cert
that expired months before the 1.5.3 release
Posted by "Pierre-Arnaud Marcelot (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSTUDIO-741?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Pierre-Arnaud Marcelot reopened DIRSTUDIO-741:
----------------------------------------------
Don't know what happen but somebody marked it as resolved...
> Update site has self-signed cert that expired months before the 1.5.3 release
> -----------------------------------------------------------------------------
>
> Key: DIRSTUDIO-741
> URL: https://issues.apache.org/jira/browse/DIRSTUDIO-741
> Project: Directory Studio
> Issue Type: Bug
> Components: studio-updatesite
> Affects Versions: 1.5.3
> Reporter: Jimmy Kaplowitz
> Assignee: Pierre-Arnaud Marcelot
> Labels: security
> Fix For: 2.0.0
>
> Original Estimate: 2h
> Remaining Estimate: 2h
>
> Hi,
> I was just trying to install Apache Directory Studio 1.5.3 from within Eclipse 3.7. It's saying that the certificate signing the software (or maybe the update site) is both self-signed and expired in January 2010. This is a bit more worrying than even having no certificate, since the 1.5.3 release is from April 2010, and I'm kind of puzzled that it was signed with a certificate that was already several months out of date when the release was made, in addition to being self-signed. I'm also trying this more than a year after the 1.5.3 release occurred, so the fact that the situation remains as I've described is quite worrying from the perspective of having security issues noticed and addressed in a timely fashion.
> There are many valid ways to handle the issue of code signing, including deciding that it's not useful security to do it at all, making an Apache-specific certificate authority, or paying for a commercial certificate as is done for the *.apache.org HTTPS web sites. The current situation with the Eclipse update site encourages false guarantees of security and, if Apache's users are taught to ignore such warnings, exposes them to man-in-the-middle or other malicious attacks when they think they are being protected by the security reputation of the Apache Software Foundation.
> The time estimate I have given is assuming you decide to generate some new certificate by whatever commercial or non-commercial method, and may include the time to deal with a vendor and/or rebuild the software. If you simply decide to switch your repository to unsigned, my estimate will probably be too large.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (DIRSTUDIO-741) Update site has self-signed cert
that expired months before the 1.5.3 release
Posted by "Elizabeth Bart (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSTUDIO-741?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Elizabeth Bart resolved DIRSTUDIO-741.
--------------------------------------
Resolution: Fixed
> Update site has self-signed cert that expired months before the 1.5.3 release
> -----------------------------------------------------------------------------
>
> Key: DIRSTUDIO-741
> URL: https://issues.apache.org/jira/browse/DIRSTUDIO-741
> Project: Directory Studio
> Issue Type: Bug
> Components: studio-updatesite
> Affects Versions: 1.5.3
> Reporter: Jimmy Kaplowitz
> Assignee: Pierre-Arnaud Marcelot
> Labels: security
> Fix For: 2.0.0
>
> Original Estimate: 2h
> Remaining Estimate: 2h
>
> Hi,
> I was just trying to install Apache Directory Studio 1.5.3 from within Eclipse 3.7. It's saying that the certificate signing the software (or maybe the update site) is both self-signed and expired in January 2010. This is a bit more worrying than even having no certificate, since the 1.5.3 release is from April 2010, and I'm kind of puzzled that it was signed with a certificate that was already several months out of date when the release was made, in addition to being self-signed. I'm also trying this more than a year after the 1.5.3 release occurred, so the fact that the situation remains as I've described is quite worrying from the perspective of having security issues noticed and addressed in a timely fashion.
> There are many valid ways to handle the issue of code signing, including deciding that it's not useful security to do it at all, making an Apache-specific certificate authority, or paying for a commercial certificate as is done for the *.apache.org HTTPS web sites. The current situation with the Eclipse update site encourages false guarantees of security and, if Apache's users are taught to ignore such warnings, exposes them to man-in-the-middle or other malicious attacks when they think they are being protected by the security reputation of the Apache Software Foundation.
> The time estimate I have given is assuming you decide to generate some new certificate by whatever commercial or non-commercial method, and may include the time to deal with a vendor and/or rebuild the software. If you simply decide to switch your repository to unsigned, my estimate will probably be too large.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (DIRSTUDIO-741) Update site has self-signed cert
that expired months before the 1.5.3 release
Posted by "Pierre-Arnaud Marcelot (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSTUDIO-741?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13095190#comment-13095190 ]
Pierre-Arnaud Marcelot commented on DIRSTUDIO-741:
--------------------------------------------------
Thanks for the JIRA.
AFAIR, Eclipse 3.7 is the first to complain about the situation, I don't remember 3.5 or 3.6 saying anything.
I guess we didn't check the expiration date of the certificate when releasing this versions and as it's a self-signed certificate, it is only valid for 6 months.
We are currently looking into getting an Apache-branded signed certificate in order to fix that for future releases.
> Update site has self-signed cert that expired months before the 1.5.3 release
> -----------------------------------------------------------------------------
>
> Key: DIRSTUDIO-741
> URL: https://issues.apache.org/jira/browse/DIRSTUDIO-741
> Project: Directory Studio
> Issue Type: Bug
> Components: studio-updatesite
> Reporter: Jimmy Kaplowitz
> Labels: security
> Original Estimate: 2h
> Remaining Estimate: 2h
>
> Hi,
> I was just trying to install Apache Directory Studio 1.5.3 from within Eclipse 3.7. It's saying that the certificate signing the software (or maybe the update site) is both self-signed and expired in January 2010. This is a bit more worrying than even having no certificate, since the 1.5.3 release is from April 2010, and I'm kind of puzzled that it was signed with a certificate that was already several months out of date when the release was made, in addition to being self-signed. I'm also trying this more than a year after the 1.5.3 release occurred, so the fact that the situation remains as I've described is quite worrying from the perspective of having security issues noticed and addressed in a timely fashion.
> There are many valid ways to handle the issue of code signing, including deciding that it's not useful security to do it at all, making an Apache-specific certificate authority, or paying for a commercial certificate as is done for the *.apache.org HTTPS web sites. The current situation with the Eclipse update site encourages false guarantees of security and, if Apache's users are taught to ignore such warnings, exposes them to man-in-the-middle or other malicious attacks when they think they are being protected by the security reputation of the Apache Software Foundation.
> The time estimate I have given is assuming you decide to generate some new certificate by whatever commercial or non-commercial method, and may include the time to deal with a vendor and/or rebuild the software. If you simply decide to switch your repository to unsigned, my estimate will probably be too large.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira