? ?
avatar PhilETaylor
PhilETaylor
1 May 2015

Joomla is being sneaky and distributing a cacert.pem (eg: http://curl.haxx.se/ca/cacert.pem)

Should we be distributing it, especially as old versions are being distributed over time?

Should there be checks when Joomla releases are prepared to ensure its kept up to date?

Should it be configurable and updateable through a plugin or configuration setting?

Discuss.

ref: https://www.alledia.com/blog/why-updates/

avatar PhilETaylor PhilETaylor - open - 1 May 2015
avatar PhilETaylor
PhilETaylor - comment - 1 May 2015

@nicksavov drats I was about to update the current distributed version but I see you beat me to it 20113ad

avatar zero-24 zero-24 - change - 1 May 2015
Title
remove cacert.pem from distribution
remove cacert.pem from distribution
Labels Added: ? ?
avatar zero-24
zero-24 - comment - 1 May 2015

@PhilETaylor I'm going to add the Request for Comment label here. Let me know if i should remove it. Thanks

avatar PhilETaylor
PhilETaylor - comment - 1 May 2015

@zero-24 Yup thats fine, I wanted to open it up to see what others thought

avatar btoplak
btoplak - comment - 1 May 2015

As I commented on the referenced thread too, sorry Phil, but I absolutely disagree that removing root ca certificate bundle is the best solution. This is against the whole PKI security concept, and we are breaking the working parts to avoid errors. For the sake of security that would be a big step backwards.

By suggesting downloading/consuming cacert.pem file from an external source (without any assurance you will actually get it from a valid original website), you are getting customers in a high-risk situations. Even more using the plain HTTP links. Hint: Man-In-The-Middle attacks!!

The whole purpose of a root ca certificate bundles being distributed with browsers, OSes, cURL, Joomla, "other security-aware software", is to provide users with a locally available trustworthy start-point for further trust-level validation. If you have to grab it from external source you're in an untrustworthy environment and MITM attack is possible.

Points that are correct here are:

  • Joomla uses old root ca cert bundle, and it will be outdated now and then. The same happens with browsers, but they don't tend to discard the right approach distributing root ca certs with browsers. Best approach would be:
    • updating the bundle file regularly, it's available on github, all of us interested can track the changes and send pull requests when needed https://github.com/bagder/ca-bundle/
    • enabling users to choose/upload custom root ca cert bundle for using with J! framework
  • users should be educated to push host to upgrade their server packages, source of most problems start there
    This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/6879.
avatar PhilETaylor PhilETaylor - change - 2 May 2015
Title
remove cacert.pem from distribution
remove cacert.pem from distribution
Status New Closed
Closed_Date 0000-00-00 00:00:00 2015-05-02 15:40:43
Closed_By PhilETaylor
avatar PhilETaylor PhilETaylor - close - 2 May 2015
avatar PhilETaylor PhilETaylor - close - 2 May 2015

Add a Comment

Login with GitHub to post a comment