[wp-trac] [WordPress Trac] #18577: Updates and downloads should be signed or delivered securely
WordPress Trac
noreply at wordpress.org
Mon Jul 29 19:16:37 UTC 2013
#18577: Updates and downloads should be signed or delivered securely
-----------------------------+------------------------------
Reporter: wplid | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Upgrade/Install | Version:
Severity: normal | Resolution:
Keywords: 2nd-opinion |
-----------------------------+------------------------------
Changes (by samuelsidler):
* cc: samuelsidler, duck_, westi, aaroncampbell, nacin (added)
Comment:
We should re-visit moving API calls, updates, and plugin/theme updates
over SSL. There might be some installs that break, but we can check for
that internally. Server-side, wordpress.org is ready for the switch over
if we decide to do it.
Westi updated the relevant URLs (from http to https) in the
[http://wordpress.org/plugins/wordpress-beta-tester/ beta tester plugin],
to get a feel for what breaks. But there would be more logic required in
core to ship SSL.
For example, we'll probably want to check if SSL is broken on the server
and, if so, stop allowing automatic updates. In that scenario, we'd still
ping the API but if an update was available, we'd link to a hardcoded (in
core) download URL and tell the user they must update manually. We should
also consider adding some explanatory text, helping the user understand
their situation and recommending they contact their host.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/18577#comment:3>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list