[wp-trac] [WordPress Trac] #18577: Updates and downloads should be signed or delivered securely

WordPress Trac noreply at wordpress.org
Tue Jul 30 11:34:25 UTC 2013


#18577: Updates and downloads should be signed or delivered securely
-----------------------------+------------------------------
 Reporter:  wplid            |       Owner:
     Type:  enhancement      |      Status:  new
 Priority:  normal           |   Milestone:  Awaiting Review
Component:  Upgrade/Install  |     Version:
 Severity:  normal           |  Resolution:
 Keywords:  2nd-opinion      |
-----------------------------+------------------------------

Comment (by rmccue):

 Replying to [comment:3 samuelsidler]:
 > For example, we'll probably want to check if SSL is broken on the server
 and, if so, stop allowing automatic updates.

 This is the case for any server without cURL (as per mdawaffe's talk).
 I've found this is somewhere between 15-30% of servers, unfortunately.
 (fsockopen supports SSL if OpenSSL is installed, but as mdawaffe noted, it
 doesn't check the certificate correctly.)

 I'd say that we should use HTTPS where possible, and fall back to HTTP if
 needed while letting the user know (probably a notice on `update-
 core.php`).

--
Ticket URL: <http://core.trac.wordpress.org/ticket/18577#comment:4>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list