[Pidgin] #15277: Windows installer relies on HTTP rather than HTTPS

Pidgin trac at pidgin.im
Wed Aug 22 22:02:03 EDT 2012

#15277: Windows installer relies on HTTP rather than HTTPS
 Reporter:  ioerror          |     Owner:  datallah
     Type:  defect           |    Status:  new     
Component:  winpidgin (gtk)  |   Version:  2.10.6  
 Keywords:  security         |  
 == Summary ==
 Pidgin's website and installer do not use HTTPS (SSL/TLS). It is not
 possible to download and install pidgin without being exposed to possible
 harm from unsophisticated attackers.

 This builds on some observations in #15276

 == Steps to reproduce ==

 Download pidgin - it appears to be only available over HTTP. The installer
 fetches further components over HTTP, including seemingly unsigned,
 unchecked executable code.

 == Expected results ==
 Secure installation of various pidgin components.

 The installer should be available over HTTPS (SSL/TLS) at the very least.
 The installer should download additional components over HTTPS if required
 *or* it should ensure that downloaded components are verified to be
 consistent with the expected results. It is however extremely tricky to
 ensure that a download operation is safe when it happens over HTTP, even
 with known cryptographic hashes.

 == Actual results ==

 A Man-in-the-Middle may replace the downloaded files with a backdoored
 copy of the gtk libraries, they may corrupt or serve malformed debug
 symbols among many other possible issues.

 == Regression ==
 None that I am aware of at this time.

 == Notes ==
 Pidgin could easily 'pin' the expected cert to be any cert that is
 required. The only time a "valid" (aka CA signed) certificate is required
 is when the user downloads the actual windows installer. Otherwise, the
 actual libraries, components and other files may be downloaded over a pre-
 authenticated certificate or a certificate that is alternatively signed by
 a CA only trusted by the pidgin installer.

Ticket URL: <http://developer.pidgin.im/ticket/15277>
Pidgin <http://pidgin.im>

More information about the Tracker mailing list