Windows installer relies on HTTP rather than HTTPS
|Reported by:||ioerror||Owned by:||datallah|
Pidgin's website and installer do not use HTTPS (SSL/TLS). It is not possible to download and install pidgin without being exposed to possible harm from unsophisticated attackers.
This builds on some observations in #15276
Steps to reproduce
Download pidgin - it appears to be only available over HTTP. The installer fetches further components over HTTP, including seemingly unsigned, unchecked executable code.
Secure installation of various pidgin components.
The installer should be available over HTTPS (SSL/TLS) at the very least. The installer should download additional components over HTTPS if required *or* it should ensure that downloaded components are verified to be consistent with the expected results. It is however extremely tricky to ensure that a download operation is safe when it happens over HTTP, even with known cryptographic hashes.
A Man-in-the-Middle may replace the downloaded files with a backdoored copy of the gtk libraries, they may corrupt or serve malformed debug symbols among many other possible issues.
None that I am aware of at this time.
Pidgin could easily 'pin' the expected cert to be any cert that is required. The only time a "valid" (aka CA signed) certificate is required is when the user downloads the actual windows installer. Otherwise, the actual libraries, components and other files may be downloaded over a pre-authenticated certificate or a certificate that is alternatively signed by a CA only trusted by the pidgin installer.