[Pidgin] #15277: Windows installer relies on HTTP rather than HTTPS
Pidgin
trac at pidgin.im
Mon Aug 27 01:17:07 EDT 2012
#15277: Windows installer relies on HTTP rather than HTTPS
-------------------------+--------------------------------------------------
Reporter: ioerror | Owner: datallah
Type: enhancement | Status: new
Milestone: | Component: winpidgin (gtk)
Version: 2.10.6 | Resolution:
Keywords: security |
-------------------------+--------------------------------------------------
Comment(by ioerror):
Replying to [comment:5 datallah]:
> The pidgin.im URLs referenced here simply redirect to the SF.net
download URLs.
>
> Instead of pinning certs (which I'm pretty sure the NSISdl
infrastructure wouldn't support, and wouldn't work anyway since we're
actually downloading from some SF.net mirror), I think we should make the
installer validate the hash of the files it downloads against the expected
value (with the expected hash value either baked into the installer, or
preferably, downloaded via HTTPS).
>
I think it would be easier to just use HTTPS. There are a number of
attacks that are possible without it - too many to count, even if you have
an expected hash.
> FYI there is also an "offline" installer that includes these resources
in the initial download.
Is that offline installer available over SSL?
--
Ticket URL: <http://developer.pidgin.im/ticket/15277#comment:6>
Pidgin <http://pidgin.im>
Pidgin
More information about the Tracker
mailing list