[Pidgin] #16406: Ditch Windows Sourceforge downloads to something better which does support HTTPS
Pidgin
trac at pidgin.im
Fri Oct 24 10:00:24 EDT 2014
#16406: Ditch Windows Sourceforge downloads to something better which does support
HTTPS
--------------------+----------------------
Reporter: DrWhax | Owner: bleeter
Type: defect | Status: new
Milestone: | Component: privacy
Version: | Keywords: security
--------------------+----------------------
Pidgin serves the Windows binaries through Sourceforge which doesn't
support https in 2014. Let me explain you why this is a bad idea.
Pidgin is one of the most used open source IM software through out the
world. Including in dangerous parts of the world with Pidgin-OTR. These
people have to rely on http and don't get any basic security.
* Sourceforge bundled adware with downloads. [1]
* Man in the middle attacks can modify the binary with malicious code.
* No HTTPS with PFS in 2014 is a '''very''' bad idea.
* Even if Tor is used, binaries could be modified with malicious code.[2]
* There's probably a bunch of NSA routers in the world that hugely benefit
from those HTTP downloads!
How can I help the Pidgin project in serving HTTPS with PFS/HSTS Windows
build downloads?
[1] http://blog.gluster.org/2013/08/how-far-the-once-mighty-sourceforge-
has-fallen/
[2] http://www.leviathansecurity.com/blog/the-case-of-the-modified-
binaries/
--
Ticket URL: <https://developer.pidgin.im/ticket/16406>
Pidgin <https://pidgin.im>
Pidgin
More information about the Tracker
mailing list