Fedora User Certificates
gnu at toad.com
Fri Aug 22 13:46:04 EDT 2008
> Effective immediately we have replaced the CA that is in use for
> cvs.fedoraproject.org and koji.fedoraproject.org This effects uploading to
> lookaside cache and building packages.
How do we know whether the old CA or the new CA is the secure one? This
email "from Dennis" could easily be a spoof or a phish:
> There are some manual steps that everyone needs to do to be able to use the
> systems again.
"We've had a problem and we have to re-validate your account."
> they are
> login to https://admin.fedoraproject.org/accounts/ and click on the "Download
> a client-side certificate" link at the bottom of the home page. save the
> output to ~/.fedora.cert
First give us your username and password. We promise not to abuse it
Then overwrite the securely signed key that has validated the
real web site for years -- with whatever we send you from our spoof site.
Then you'll REALLY be secure.
I'm serious. Whether or not there's been a security compromise on
the Fedora servers, it would be easy for the people who did it to pull
a DNS spoof, get a bunch more passwords, and get many community members
to believe that the spoof site is the real thing.
I only recommend replacing your Fedora certificate if you have been
asked to do so personally, e.g. by phone from a voice that you
recognize as a friend or colleague in Fedora.
More information about the Devel