[wp-trac] [WordPress Trac] #25252: Pin the WordPress.org SSL certificates
WordPress Trac
noreply at wordpress.org
Sun Sep 8 03:15:18 UTC 2013
#25252: Pin the WordPress.org SSL certificates
-------------------------+-------------------
Reporter: rmccue | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: 3.7
Component: HTTP | Version: trunk
Severity: normal | Keywords:
-------------------------+-------------------
#25007 introduced full SSL support for the streams transport, but still
leaves us open to having [http://www.comodo.com/Comodo-Fraud-
Incident-2011-03-23.html a valid certificate posing as WordPress.org].
This is a huge issue with things like auto-upgrades, since we need to
ensure that we're acting in a safe manner.
The way this type of issue has been handled is to use
[https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning
certificate pinning]. This has been in Chrome for Google-related
properties since version 13 (with
[https://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json
ever-expanding support]) and Firefox is
[https://wiki.mozilla.org/Security/Features/CA_pinning_functionality
moving towards implementing it].
In terms of how we achieve this, we can simply set the cacert path to the
.org certificates locally.
One issue we might want to consider here is whether this is flexible
enough. Certificates may (should) expire, and we don't want sites
everywhere breaking because of this. I believe the best solution here is
to make a long-lived certificate for .org and bundle that as the CA, with
the real certificates being signed by that one.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/25252>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list