Updates and downloads should be delivered securely
|Reported by:||wplid||Owned by:|
All channels for downloading Wordpress installations and plugins (e.g. from downloads.wordpress.org) should either be signed or delivered securely (e.g. via SSL) to mitigate man-in-the-middle attacks. Such attacks can lead to arbitrary code execution.
It appears that currently, downloads and automatic updates are neither signed nor delivered securely.
Change History (36)
- Component changed from General to Upgrade/Install
- Keywords 2nd-opinion added
- Type changed from defect (bug) to enhancement
comment:3 follow-ups: ↓ 4 ↓ 10 samuelsidler — 9 months ago
- Cc samuelsidler duck_ westi aaroncampbell nacin added
comment:16 samuelsidler — 8 months ago
- Summary changed from Updates and downloads should be signed or delivered securely to Updates and downloads should be delivered securely
comment:27 nacin — 8 months ago
- Milestone changed from Awaiting Review to 3.7
- Type changed from enhancement to task (blessed)