Joomla is being sneaky and distributing a cacert.pem (eg: http://curl.haxx.se/ca/cacert.pem)
Should we be distributing it, especially as old versions are being distributed over time?
Should there be checks when Joomla releases are prepared to ensure its kept up to date?
Should it be configurable and updateable through a plugin or configuration setting?
Discuss.
Title |
|
||||||
Labels |
Added:
?
?
|
@PhilETaylor I'm going to add the Request for Comment label here. Let me know if i should remove it. Thanks
As I commented on the referenced thread too, sorry Phil, but I absolutely disagree that removing root ca certificate bundle is the best solution. This is against the whole PKI security concept, and we are breaking the working parts to avoid errors. For the sake of security that would be a big step backwards.
By suggesting downloading/consuming cacert.pem file from an external source (without any assurance you will actually get it from a valid original website), you are getting customers in a high-risk situations. Even more using the plain HTTP links. Hint: Man-In-The-Middle attacks!!
The whole purpose of a root ca certificate bundles being distributed with browsers, OSes, cURL, Joomla, "other security-aware software", is to provide users with a locally available trustworthy start-point for further trust-level validation. If you have to grab it from external source you're in an untrustworthy environment and MITM attack is possible.
Points that are correct here are:
Title |
|
||||||
Status | New | ⇒ | Closed | ||||
Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2015-05-02 15:40:43 | ||||
Closed_By | ⇒ | PhilETaylor |
@nicksavov drats I was about to update the current distributed version but I see you beat me to it 20113ad