[wp-trac] [WordPress Trac] #43320: Harden API requests against man-in-the-middle attacks
WordPress Trac
noreply at wordpress.org
Wed Feb 14 19:45:24 UTC 2018
#43320: Harden API requests against man-in-the-middle attacks
-------------------------+------------------------------
Reporter: iandunn | Owner:
Type: enhancement | Status: new
Priority: low | Milestone: Awaiting Review
Component: Security | Version: 3.7.1
Severity: minor | Resolution:
Keywords: | Focuses:
-------------------------+------------------------------
Comment (by jdgrimes):
#39309 would also mitigate this as it relates to actually installing the
updates, because only packages with valid signatures would be installed.
So a man in the middle could not modify the package (or signature, since
they need the private key to generate a valid signature).
It would not solve the problem of MitM for API requests in general though;
a MitM could still prevent a site from updating by tricking it into
thinking no update was available, for example.
However, a similar technique could be used, by signing all API responses.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/43320#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list