Updates and downloads should be delivered securely
|Reported by:||wplid||Owned by:|
|Cc:||johnbillion@…, samuelsidler, duck_, westi, aaroncampbell, nacin, tieptoep, bpetty, juliobosk@…, info@…, j@…|
All channels for downloading Wordpress installations and plugins (e.g. from downloads.wordpress.org) should either be signed or delivered securely (e.g. via SSL) to mitigate man-in-the-middle attacks. Such attacks can lead to arbitrary code execution.
It appears that currently, downloads and automatic updates are neither signed nor delivered securely.
Change History (36)
- Component changed from General to Upgrade/Install
- Keywords 2nd-opinion added
- Type changed from defect (bug) to enhancement
comment:3 follow-ups: ↓ 4 ↓ 10 samuelsidler — 5 months ago
- Cc samuelsidler duck_ westi aaroncampbell nacin added
comment:16 samuelsidler — 4 months ago
- Summary changed from Updates and downloads should be signed or delivered securely to Updates and downloads should be delivered securely
comment:27 nacin — 4 months ago
- Milestone changed from Awaiting Review to 3.7
- Type changed from enhancement to task (blessed)