Updates and downloads should be signed or delivered securely

[wplid]

All channels for downloading Wordpress installations and plugins (e.g. from downloads.wordpress.org) should either be signed or delivered securely (e.g. via SSL) to mitigate man-in-the-middle attacks. Such attacks can lead to arbitrary code execution.

It appears that currently, downloads and automatic updates are neither signed nor delivered securely.

In quite a lot of cases (This is from personal experience whilst debugging issues people have with the HTTP API) Server configurations don't actually allow for proper HTTPS communication. HTTPS will be available, but the certificates will not be processed to ensure they're signed (just valid, so a MITM attack could insert a cert with the right name and pass). That isn't a WordPress configuration issue, rather a PHP configuration/PHP Module configuration issue (The fact that WordPress can reliably make outgoing connections on many hosts is surprising in itself honestly).

I'll leave the floor open for others on signing though, I know there are a few people who follow trac who have had a lot more dealings with SSL outgoing connections too, so we can probably detect when we can definitely use verified SSL.

I'm marking this as an enhancement, simply due to it not being a "fault" condition in existing code, simply something which could be done better, and/or make a better product.