[Trac_gajim-plugins] [Gajim Plugins] #79: Verify Integrity & Authenticity of downloaded plugins
Gajim Plugins
trac at gajim.org
Mon Oct 5 11:29:45 CEST 2015
#79: Verify Integrity & Authenticity of downloaded plugins
--------------------------+--------------------------------------
Reporter: azrdev | Owner: asterix
Type: enhancement | Status: new
Priority: major | Component: PluginInstallerPlugin
Resolution: | Keywords: authentication integrity
Blocked By: | Blocking:
--------------------------+--------------------------------------
\
\
\
\
\
\
Comment (by azrdev):
> I don't see how downloading a checksum from the same server via the same
way could help improving security.
It doesn't help against server compromise, but against a man in the middle
altering/intercepting the connection to ftp.gajim.org.
Also, integrity check protects against (unintended) corruption of the
downloaded code, afaik plain zip is not really fulfilling that job.
> GPG is not an option as not everybody has it, for from that!
granted.
> We already use secured FTP (without checking cert ...)
I (probably) wasn't aware of that. With secure FTP we get security against
an attacker altering our connection to (the genuine) ftp.gajim.org. Still,
she could impersonate that server, which we don't detect, since we don't
authenticate (e.g. using the certificate check)
So enabling cert check would already solve this issue.
\
\
\
--
Ticket URL: <http://trac-plugins.gajim.org/ticket/79#comment:4>
Gajim Plugins <http://trac-plugins.gajim.org/>
Gajim Plugins
More information about the Trac_gajim-plugins
mailing list