[Pidgin] #15277: Windows installer relies on HTTP rather than HTTPS

Pidgin trac at pidgin.im
Sun Aug 26 12:06:49 EDT 2012

#15277: Windows installer relies on HTTP rather than HTTPS
 Reporter:  ioerror      |        Owner:  datallah       
     Type:  enhancement  |       Status:  new            
Milestone:               |    Component:  winpidgin (gtk)
  Version:  2.10.6       |   Resolution:                 
 Keywords:  security     |  

Comment(by datallah):

 The pidgin.im URLs referenced here simply redirect to the SF.net download

 Instead of pinning certs (which I'm pretty sure the NSISdl infrastructure
 wouldn't support, and wouldn't work anyway since we're actually
 downloading from some SF.net mirror), I think we should make the installer
 validate the hash of the files it downloads against the expected value
 (with the expected hash value either baked into the installer, or
 preferably, downloaded via HTTPS).

 FYI there is also an "offline" installer that includes these resources in
 the initial download.

Ticket URL: <http://developer.pidgin.im/ticket/15277#comment:5>
Pidgin <http://pidgin.im>

More information about the Tracker mailing list