Updates and downloads should be signed or delivered securely
|Reported by:||wplid||Owned by:|
All channels for downloading Wordpress installations and plugins (e.g. from downloads.wordpress.org) should either be signed or delivered securely (e.g. via SSL) to mitigate man-in-the-middle attacks. Such attacks can lead to arbitrary code execution.
It appears that currently, downloads and automatic updates are neither signed nor delivered securely.