[Trac_gajim-plugins] [Gajim Plugins] #79: Verify Integrity & Authenticity of downloaded plugins

Gajim Plugins trac at gajim.org
Sun Oct 4 13:56:26 CEST 2015

#79: Verify Integrity & Authenticity of downloaded plugins
  Reporter:  azrdev       |      Owner:  asterix
      Type:  enhancement  |     Status:  new
  Priority:  major        |  Component:  PluginInstallerPlugin
Resolution:               |   Keywords:  authentication integrity
Blocked By:               |   Blocking:

Comment (by Ralf):

 I agree that this is an important issue. Attacks that modify the code
 downloaded by updaters are fairly common, and really unnecessary - all the
 technology to avoid them is available. Software that downloads and runs
 code without checking authenticity is simply irresponsible nowadays. Gajim
 may be a small target, but that's no excuse.

 The simplest fix would probably be switching the downloader to https, and
 relying on the system certificate chain. Python has everything built-in
 for this, and certificates can be obtained for free from StartSSL or
 (soon) via lets-encrypt.
 This is not a perfect solution, as the secret key would be permanently
 exposed on the server - but it's a *huge* step compared to the current

Ticket URL: <http://trac-plugins.gajim.org/ticket/79#comment:1>
Gajim Plugins <http://trac-plugins.gajim.org/>
Gajim Plugins

More information about the Trac_gajim-plugins mailing list