Modify

Opened 9 years ago

Closed 4 years ago

#11758 closed enhancement (fixed)

Plugin system has no protection against man in the middle attacks and similar

Reported by: manuel.reimer@… Owned by: team
Priority: normal Milestone:
Component: Core Version:
Keywords: template_report Cc:

Description

I had a closer look at how the plugin system works.

That the list itself is fetched via HTTPS is a good start, but it only contains a list of plugins. Most of them are loaded from HTTP sources.

This whole system should be protected in some way so it is not possible to replace the plugin file with some kind of malware.

Maybe a simple solution could be if the list, which is loaded via HTTPS, contains a checksum of the plugin file. If the fetched file does not match the checksum, then display error and don't install the plugin.

Repository Root: http://josm.openstreetmap.de/svn
Build-Date: 2015-06-16 21:45:58
Last Changed Author: Don-vip
Revision: 8491
Repository UUID: 0c6e7542-c601-0410-84e7-c038aed88b3b
Relative URL: ^/trunk
URL: http://josm.openstreetmap.de/svn/trunk
Last Changed Date: 2015-06-16 23:27:08 +0200 (Tue, 16 Jun 2015)
Last Changed Rev: 8491

Identification: JOSM/1.5 (8491 en) Linux Arch Linux
Memory Usage: 352 MB / 1772 MB (251 MB allocated, but free)
Java version: 1.7.0_85, Oracle Corporation, OpenJDK 64-Bit Server VM
VM arguments: [-Djosm.restart=true]

Attachments (0)

Change History (1)

comment:1 by michael2402, 4 years ago

Resolution: fixed
Status: newclosed

All plugins are downloaded using HTTPS now, this should be as secure as we can get with automated checksums.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain team.
as The resolution will be set.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment
E-mail address and name can be saved in the Preferences .
AttachmentsDescription
 
Note: See TracTickets for help on using tickets.