[wp-trac] [WordPress Trac] #18577: Updates and downloads should be signed or delivered securely

WordPress Trac noreply at wordpress.org
Tue Jul 30 12:26:35 UTC 2013


#18577: Updates and downloads should be signed or delivered securely
-----------------------------+------------------------------
 Reporter:  wplid            |       Owner:
     Type:  enhancement      |      Status:  new
 Priority:  normal           |   Milestone:  Awaiting Review
Component:  Upgrade/Install  |     Version:
 Severity:  normal           |  Resolution:
 Keywords:  2nd-opinion      |
-----------------------------+------------------------------

Comment (by rmccue):

 Replying to [comment:7 dd32]:
 > If we really care about this, it has to be 100% or nothing in my mind,
 If we just use SSL when available, a MITM attack could render the HTTPS
 requests inoperable, triggering a fallback condition.

 Keep in mind, if we do it via signing in a higher layer, we also need to
 think about things like key revocation.

 > Just saying in passing, phpseclib is also used by the plugin which
 replaces cores php_ssh2 update transport with a pure php transport method
 for 100% server compatibility.

 See #21610 and #16925 for that.

--
Ticket URL: <http://core.trac.wordpress.org/ticket/18577#comment:8>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list