[wp-trac] [WordPress Trac] #18577: Updates and downloads should be signed or delivered securely
WordPress Trac
noreply at wordpress.org
Tue Jul 30 11:34:25 UTC 2013
#18577: Updates and downloads should be signed or delivered securely
-----------------------------+------------------------------
Reporter: wplid | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Upgrade/Install | Version:
Severity: normal | Resolution:
Keywords: 2nd-opinion |
-----------------------------+------------------------------
Comment (by rmccue):
Replying to [comment:3 samuelsidler]:
> For example, we'll probably want to check if SSL is broken on the server
and, if so, stop allowing automatic updates.
This is the case for any server without cURL (as per mdawaffe's talk).
I've found this is somewhere between 15-30% of servers, unfortunately.
(fsockopen supports SSL if OpenSSL is installed, but as mdawaffe noted, it
doesn't check the certificate correctly.)
I'd say that we should use HTTPS where possible, and fall back to HTTP if
needed while letting the user know (probably a notice on `update-
core.php`).
--
Ticket URL: <http://core.trac.wordpress.org/ticket/18577#comment:4>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list