[Trac_gajim-plugins] [Gajim Plugins] #79: Verify Integrity & Authenticity of downloaded plugins
Gajim Plugins
trac at gajim.org
Sun Oct 4 13:56:26 CEST 2015
#79: Verify Integrity & Authenticity of downloaded plugins
--------------------------+--------------------------------------
Reporter: azrdev | Owner: asterix
Type: enhancement | Status: new
Priority: major | Component: PluginInstallerPlugin
Resolution: | Keywords: authentication integrity
Blocked By: | Blocking:
--------------------------+--------------------------------------
\
\
\
\
\
\
Comment (by Ralf):
I agree that this is an important issue. Attacks that modify the code
downloaded by updaters are fairly common, and really unnecessary - all the
technology to avoid them is available. Software that downloads and runs
code without checking authenticity is simply irresponsible nowadays. Gajim
may be a small target, but that's no excuse.
The simplest fix would probably be switching the downloader to https, and
relying on the system certificate chain. Python has everything built-in
for this, and certificates can be obtained for free from StartSSL or
(soon) via lets-encrypt.
This is not a perfect solution, as the secret key would be permanently
exposed on the server - but it's a *huge* step compared to the current
situation.
\
\
\
--
Ticket URL: <http://trac-plugins.gajim.org/ticket/79#comment:1>
Gajim Plugins <http://trac-plugins.gajim.org/>
Gajim Plugins
More information about the Trac_gajim-plugins
mailing list