[wp-trac] [WordPress Trac] #18577: Updates and downloads should be signed or delivered securely
WordPress Trac
wp-trac at lists.automattic.com
Sat Sep 3 01:36:32 UTC 2011
#18577: Updates and downloads should be signed or delivered securely
-----------------------------+------------------------------
Reporter: wplid | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Upgrade/Install | Version:
Severity: normal | Resolution:
Keywords: 2nd-opinion |
-----------------------------+------------------------------
Changes (by dd32):
* keywords: => 2nd-opinion
* type: defect (bug) => enhancement
* component: General => Upgrade/Install
Comment:
In quite a lot of cases (This is from personal experience whilst debugging
issues people have with the HTTP API) Server configurations don't actually
allow for proper HTTPS communication. HTTPS will be available, but the
certificates will not be processed to ensure they're signed (just valid,
so a MITM attack could insert a cert with the right name and pass). That
isn't a WordPress configuration issue, rather a PHP configuration/PHP
Module configuration issue (The fact that WordPress can reliably make
outgoing connections on many hosts is surprising in itself honestly).
I'll leave the floor open for others on signing though, I know there are a
few people who follow trac who have had a lot more dealings with SSL
outgoing connections too, so we can probably detect when we can definitely
use verified SSL.
I'm marking this as an enhancement, simply due to it not being a "fault"
condition in existing code, simply something which could be done better,
and/or make a better product.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/18577#comment:1>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list