[Pidgin] #16406: Ditch Windows Sourceforge downloads to something better which does support HTTPS

Pidgin trac at pidgin.im
Fri Oct 24 10:00:24 EDT 2014


#16406: Ditch Windows Sourceforge downloads to something better which does support
HTTPS
--------------------+----------------------
 Reporter:  DrWhax  |      Owner:  bleeter
     Type:  defect  |     Status:  new
Milestone:          |  Component:  privacy
  Version:          |   Keywords:  security
--------------------+----------------------
 Pidgin serves the Windows binaries through Sourceforge which doesn't
 support https in 2014. Let me explain you why this is a bad idea.

 Pidgin is one of the most used open source IM software through out the
 world. Including in dangerous parts of the world with Pidgin-OTR. These
 people have to rely on http and don't get any basic security.

 * Sourceforge bundled adware with downloads. [1]
 * Man in the middle attacks can modify the binary with malicious code.
 * No HTTPS with PFS in 2014 is a '''very''' bad idea.
 * Even if Tor is used, binaries could be modified with malicious code.[2]
 * There's probably a bunch of NSA routers in the world that hugely benefit
 from those HTTP downloads!

 How can I help the Pidgin project in serving HTTPS with PFS/HSTS Windows
 build downloads?

 [1] http://blog.gluster.org/2013/08/how-far-the-once-mighty-sourceforge-
 has-fallen/
 [2] http://www.leviathansecurity.com/blog/the-case-of-the-modified-
 binaries/

--
Ticket URL: <https://developer.pidgin.im/ticket/16406>
Pidgin <https://pidgin.im>
Pidgin


More information about the Tracker mailing list