Pin the WordPress.org SSL certificates
|Reported by:||rmccue||Owned by:|
|Cc:||johnbillion, wordpress@…, erick@…|
#25007 introduced full SSL support for the streams transport, but still leaves us open to having a valid certificate posing as WordPress.org. This is a huge issue with things like auto-upgrades, since we need to ensure that we're acting in a safe manner.
The way this type of issue has been handled is to use certificate pinning. This has been in Chrome for Google-related properties since version 13 (with ever-expanding support) and Firefox is moving towards implementing it.
In terms of how we achieve this, we can simply set the cacert path to the .org certificates locally.
One issue we might want to consider here is whether this is flexible enough. Certificates may (should) expire, and we don't want sites everywhere breaking because of this. I believe the best solution here is to make a long-lived certificate for .org and bundle that as the CA, with the real certificates being signed by that one.