On Friday, September 26, the system hackers team discovered a misconfiguration in the wiki setup. The error, if discovered, would have enabled an unauthorised party to read protected pages and user configurations.

It was possible to read the encrypted password hashes of guest users. Registered Fellows, who log in using their Fellowship password were not affected by this. To all others we recommend changing their wiki password as a precaution.

Authentication FAQ

My browser tells me that the website is certified by an Unknown Authority and advices me to notify the webmaster. What should I do?

Except for the Fellowship join process which uses a certificate from GoDaddy FSFE secure websites use SSL certificates issued by CAcert, a community-run Certification Authority. (Except for the Fellowship join procedure, where we use a certificate which does not need the installation of the CAcert certificate.)

When you connect to a secure site (such as the Fellowship join page, or other Fellowship services), your browser checks the validity of the SSL certificate provided by the website; in order to do so, you must have the CAcert root certificate installed on your browser/system.

Unfortunately not all browsers or operating systems have the root certificate for CAcert installed by default.

Most GNU/Linux distributions include the CAcert root certificate; for Debian, you just have to install the ca-certificates package.

You can check the status of inclusion of CAcert root certificates in applications and operating systems at http://wiki.cacert.org/wiki/InclusionStatus

In general, you can import the CAcert root certificate into your browser visiting this page: http://www.cacert.org/index.php?id=3

Also the GNU Savannah project uses CAcert certificates for secure connection to its web site: they have a nice tutorial explaining how to import the root certificate on your browser.

I have installed the root certificate of CACert, but I still get a warning saying "Domain name mismatch" when connecting to some Fellowship services (wiki.fsfe.org, blogs.fsfe.org...)

The problem arise because there is no clear standard on how to deal with multiple domain certificates. Different browsers have different reactions to certificates with multiple domains.

It is perfectly safe to accept the connection: have a look at the certificate, and you'll see the right domain names in the Subject Alt Name field of the certificate.

To read more about this topic go to CACert's wiki.

Get CAcert certificates working with Chromium

source: http://cad.cx/blog/2009/08/11/howto-add-cacert-root-certificates-to-chromium/

sudo apt-get install libnss3-tools
wget http://www.cacert.org/certs/root.crt
wget http://www.cacert.org/certs/class3.crt
certutil -d sql:$HOME/.pki/nssdb -A -t "TCu,Cu,Tuw" -n "CACert Class 1 Root Certificate" -i root.crt
certutil -d sql:$HOME/.pki/nssdb -A -t "TCu,Cu,Tuw" -n "CACert Class 3 Root Certificate" -i class3.crt
rm root.crt class3.crt


CategoryFAQ