7

I am fairly new to encryption and SSL. Today I googled a bit (read some atricles about security) and encountered the site https://cacert.org. I clicked it and was surprised. Chrome showed me a "not trusted" error. The SSL certificate seems not to be valid. I looked up the certificate and it shows me that the certification agency is not trusted anymore. I got some questions now:

  • Isn't CAcert a certification agency itself?
  • Why is that?
  • Could this be some kind of attack approach? (MITM)
  • What can I do?
  • Where can I get more information?
Improve this question

2 Answers 2

Reset to default
11

In case of cacert.org, they are presenting a self-signed certificate and that's why your browser complains. There is no trust chain that leads from the certificate to a root CA that you trust.

If you were using a Linux distribution that comes with their certificate pre-installed, you wouldn't see a warning. It would be inferred that by using such a system you trust the community.

In case of other OSs you put trust in public PKI that is supported (and provided in the form of a root certificate store embedded in their products) by Microsoft, Apple, Google, or Mozilla.

Cacert.org is outside of this infrastructure and that's why you see a warning.

Why?

Their "business" decision. They are free to do whatever they want when they provide web services. They could ask users to install their root CA, they could invest money and get a signed certificate for their website, or not invest and get a free letsencrypt certificate*.

They chose the first model, seemingly because that fits their purpose and "eat your own dogfood" idea.

What you can do?

It depends on what you want to do. You can access the site with http://cacert.org/ and read.

If you want to access it with HTTPS, you can display the provided certificate, examine it yourself. Then take your own decision to trust it.

The tricky part is that it indeed could be a MitM attack, so you should compare the fingerprint signature of the certificate you got with a signature you obtained through another trusted connection. They publish the fingerprints here but until you trust real them, you can't really trust the site belongs to real then. Catch 21.

You could either confirm the signature with another source you trust (friend, or just search google for the fingerprint you got and evaluate, if it's all over reliable places, it has chances to be valid) or use Debian that comes with their root certificate pre-installed to access the site over HTTPS.

You can then follow the link to instructions how to install their root CA, install and trust the certificates they signed from now on (including their own one).

* Technically they could use a certificate recognized by public infrastructure for their site and avoid the problem of initial trust, but maybe they decided that making you ask such a question is better for the spread of knowledge...

Improve this answer
1
  • 4
    "maybe they decided that making you ask such a question is better for the spread of knowledge..." as you see it worked :) Thanks for this answer!
    – licklake
    Commented Jun 9, 2016 at 8:28
7

CAcert issued certificates are not self-signed. Their root certificate is self-signed, like all other CA's have.

Why CAcert root isn't included in any of the major browsers (making your Chrome display the not secure) is a completely another story. They did apply for that, but ultimately were never able to make the requested changes in their policies/procedures and prove the changes to CA/Browser Forum.

Wikipedia page https://en.wikipedia.org/wiki/CAcert.org#Inclusion_status states:

CAcert withdrew its request for inclusion at the end of April 2007.

So, now they're just fading out.

Improve this answer
3
  • ... which is a pity, since they provide(d) such an interesting service to the community (well before Let's Encrypt and similar providers started to appear). I still use CAcert every time I need a certificate that is marginally better than a self-signed one but cannot bother to request a 'real' certificate from Let's Encrypt (aye, there are some edge cases where that is the case — e.g. when testing your own code to generate CSRs, to see if they're properly recognised, for instance; something you won't wish to experiment on a real CA).
    – Gwyneth Llewelyn
    Commented Feb 24, 2023 at 11:14
  • CAcert in a nutshell: They managed to get themselves deadlocked by their own policies and already take themselves too serious to become serious. They don't have enough people to keep the show running, but don't seem to understand, that in order to get those people, you need to have a running show.
    – Bachsau
    Commented Mar 2, 2023 at 19:18
  • Back in 2018 I blogged about transitioning my own cert-business into Let's E. At the time Mr. Dampf commented my post stating that CAcert.org is lacking volunteers. No actual changes has happened, I'd still today would like to volunteer, but it doesn't seem to be possible. Show isn't running.
    – Jari Turkia
    Commented Mar 3, 2023 at 18:08

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .