[wp-trac] [WordPress Trac] #25252: Pin the WordPress.org SSL certificates
WordPress Trac
noreply at wordpress.org
Thu Dec 17 04:42:38 UTC 2015
#25252: Pin the WordPress.org SSL certificates
-------------------------+-------------------------
Reporter: rmccue | Owner:
Type: enhancement | Status: closed
Priority: normal | Milestone:
Component: HTTP API | Version: 3.8
Severity: normal | Resolution: maybelater
Keywords: has-patch | Focuses:
-------------------------+-------------------------
Changes (by dd32):
* status: new => closed
* resolution: => maybelater
* milestone: Future Release =>
Comment:
No plans yet. Pinning HTTPS in PHP is a lot harder than in compiled
applications where you have access to the raw underlying SSL certificate.
Pinning also has several downsides, including that the way we'd have to do
it would limit us to pre-selecting who would sign our certificates, or
having some kind of update mechanism to let older sites know that they can
now trust a new cert.
Ultimately, I don't think we'll be pinning the certificate, but instead
might add signing (of packages, and/or api responses) so that we can trust
the data whether it came from HTTP, HTTPS, or a MITM'd broken HTTPS
session.
I'm going to mark this as maybelater, we might still do it, but I can't
see it being viable.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/25252#comment:14>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list