[Trac_gajim-plugins] [Gajim Plugins] #79: Verify Integrity & Authenticity of downloaded plugins

Gajim Plugins trac at gajim.org
Mon Oct 5 11:29:45 CEST 2015

#79: Verify Integrity & Authenticity of downloaded plugins
  Reporter:  azrdev       |      Owner:  asterix
      Type:  enhancement  |     Status:  new
  Priority:  major        |  Component:  PluginInstallerPlugin
Resolution:               |   Keywords:  authentication integrity
Blocked By:               |   Blocking:

Comment (by azrdev):

 > I don't see how downloading a checksum from the same server via the same
 way could help improving security.
 It doesn't help against server compromise, but against a man in the middle
 altering/intercepting the connection to ftp.gajim.org.

 Also, integrity check protects against (unintended) corruption of the
 downloaded code, afaik plain zip is not really fulfilling that job.

 > GPG is not an option as not everybody has it, for from that!

 > We already use secured FTP (without checking cert ...)
 I (probably) wasn't aware of that. With secure FTP we get security against
 an attacker altering our connection to (the genuine) ftp.gajim.org. Still,
 she could impersonate that server, which we don't detect, since we don't
 authenticate (e.g. using the certificate check)

 So enabling cert check would already solve this issue.

Ticket URL: <http://trac-plugins.gajim.org/ticket/79#comment:4>
Gajim Plugins <http://trac-plugins.gajim.org/>
Gajim Plugins

More information about the Trac_gajim-plugins mailing list