[wp-trac] [WordPress Trac] #5066: Anonymize update checking
WordPress Trac
wp-trac at lists.automattic.com
Thu Dec 17 17:24:05 UTC 2009
#5066: Anonymize update checking
-------------------------------------------+--------------------------------
Reporter: zamoose | Owner: anonymous
Type: enhancement | Status: reopened
Priority: normal | Milestone: 3.0
Component: Administration | Version:
Severity: normal | Resolution:
Keywords: has-patch 2nd-opinion privacy |
-------------------------------------------+--------------------------------
Comment(by chmac):
Replying to [comment:39 docwhat]:
> WP.org doesn't have to be compromised, a man-in-the-middle attack would
work as well. But either way, why wouldn't it hold sway? Unless
wordpress.org signs an contract with me that contains penalties for being
hacked, I don't see how or why I should trust them with my data.
Personally, I agree completely. But, I don't think I'd hold the same view
if I were a core dev or an Automattic employee. In that case, I think I'd
be willing to tolerate these outside and unlikely problems for a few
users. I'd most likely justify my decision saying that it was "for the
greater good".
The man in the middle attack is particularly appropriate in the Iranian
example. I imagine the Iranian government has the capability to easily
monitor all outgoing traffic to the update service without even needing a
man in the middle attack. Simple traffic monitoring would probably be
sufficient (I'm assuming the data is sent in plain text).
--
Ticket URL: <http://core.trac.wordpress.org/ticket/5066#comment:40>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list