[wp-trac] [WordPress Trac] #18577: Updates and downloads should be signed or delivered securely
WordPress Trac
noreply at wordpress.org
Wed Aug 7 10:30:05 UTC 2013
#18577: Updates and downloads should be signed or delivered securely
-----------------------------+------------------------------
Reporter: wplid | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Upgrade/Install | Version:
Severity: normal | Resolution:
Keywords: 2nd-opinion |
-----------------------------+------------------------------
Comment (by westi):
Replying to [comment:3 samuelsidler]:
> We should re-visit moving API calls, updates, and plugin/theme updates
over SSL. There might be some installs that break, but we can check for
that internally. Server-side, wordpress.org is ready for the switch over
if we decide to do it.
>
> Westi updated the relevant URLs (from http to https) in the
[http://wordpress.org/plugins/wordpress-beta-tester/ beta tester plugin],
to get a feel for what breaks. But there would be more logic required in
core to ship SSL.
>
> For example, we'll probably want to check if SSL is broken on the server
and, if so, stop allowing automatic updates. In that scenario, we'd still
ping the API but if an update was available, we'd link to a hardcoded (in
core) download URL and tell the user they must update manually. We should
also consider adding some explanatory text, helping the user understand
their situation and recommending they contact their host.
This wasn't quite launched yet, I didn't want to break something just
before we launched 3.6 :)
api.wordpress.org will now return https urls for assets when API requests
are made over SSL.
I'm going to push out the new beta tester build which forces SSL for the
api requests next.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/18577#comment:10>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list