[wp-trac] [WordPress Trac] #29816: Some Versions Can't Upgrade to 4.0
WordPress Trac
noreply at wordpress.org
Thu Oct 2 15:48:53 UTC 2014
#29816: Some Versions Can't Upgrade to 4.0
--------------------------------+--------------------
Reporter: miqrogroove | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 4.0.1
Component: WordPress.org site | Version:
Severity: normal | Resolution:
Keywords: | Focuses:
--------------------------------+--------------------
Comment (by Otto42):
Replying to [comment:17 miqrogroove]:
> What is the reason for not allowing both SSL and non-SSL downloads?
Well, I would say *security* is probably the biggest one.
But then, this does depend on scale of the issue too. I took a look
through the support forums, and found only six SSL related issues from the
last week. The three you pointed out, one guy who can't seem to install
themes because of an SSL related message, and two others with the same
basic root cert problem.
Is this a widespread enough problem to back off on what is fundamentally a
security issue? Being able to download executable software over non-secure
channels strikes me as "bad-idea". All it would take is one bad-actor out
there to set up a proxy to serve their own version of the ZIP file with
some malicious code in it.
If this is happening on thousands and thousands of sites, then yes, it's
an issue. A few bad hosts here and there should be solved by fixing those
hosts or getting customers onto better hosts. Just my 2 cents.
That said, we are allowing for requests to api.* and downloads.* to be
http at the moment, so perhaps routing the main core downloads through
there as well would be acceptable instead. Ping @nacin.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/29816#comment:18>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list