Insecure Automatic Update #2146
Labels
duplicate
For issues that already existed in our issue tracker and were reported previously.
Enhancement
For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc.
Milestone
Comments
|
GnuPG already has a ticket in #1757. It is a low priority feature because the required extensions/libraries aren't part of the core PHP distribution, so very few Piwik users would benefit from this feature. It's already possible to use https. For example, in config/global.ini.php: However, there are technical drawbacks described in #1867. |
|
Thanks. I'll take a look. |
This issue was closed.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Right now, the automated update doesn't appear to check the authenticity of the zip. It would be straightforward in some networks to alias the piwik.org domain to some malicious machine containing a compromised zip. Some options are to download only via https, or verify a GnuPG detached signature with it.
The text was updated successfully, but these errors were encountered: