[Pidgin] #15277: Windows installer relies on HTTP rather than HTTPS

Pidgin trac at pidgin.im
Mon Aug 27 01:17:07 EDT 2012

#15277: Windows installer relies on HTTP rather than HTTPS
 Reporter:  ioerror      |        Owner:  datallah       
     Type:  enhancement  |       Status:  new            
Milestone:               |    Component:  winpidgin (gtk)
  Version:  2.10.6       |   Resolution:                 
 Keywords:  security     |  

Comment(by ioerror):

 Replying to [comment:5 datallah]:
 > The pidgin.im URLs referenced here simply redirect to the SF.net
 download URLs.
 > Instead of pinning certs (which I'm pretty sure the NSISdl
 infrastructure wouldn't support, and wouldn't work anyway since we're
 actually downloading from some SF.net mirror), I think we should make the
 installer validate the hash of the files it downloads against the expected
 value (with the expected hash value either baked into the installer, or
 preferably, downloaded via HTTPS).

 I think it would be easier to just use HTTPS. There are a number of
 attacks that are possible without it - too many to count, even if you have
 an expected hash.

 > FYI there is also an "offline" installer that includes these resources
 in the initial download.

 Is that offline installer available over SSL?

Ticket URL: <http://developer.pidgin.im/ticket/15277#comment:6>
Pidgin <http://pidgin.im>

More information about the Tracker mailing list