vim.org does not use HTTPS

Brought to you by: scrott

#104 vim.org does not use HTTPS

Milestone: v1.0 (example)

Status: open

Owner: nobody

Labels: None

Priority: 5

Updated: 2016-03-04

Created: 2016-03-03

Creator: kb100

Private: No

vim.org does not use HTTPS. Some users prefer to connect securely to websites, and we would appreciate if vim.org allowed us to connect securely.

Discussion

fritzophrenic - 2016-03-04

I think "some users would prefer to connect securely" is understated. It is not very safe to download plugins or installers over plain http (or FTP), because they may have been tampered with. I'd certainly feel more comfortable if I could download from an https page (although I build my own Vim these days, and get most of my plugins from their source repository, so that's less of an issue for me).

Equally bad, the login form for plugin authors is not encrypted, so it would be easy to sniff their username and password. And the lack of a basic feature like HTTPS does not give "warm fuzzy feelings" for the password storage on the back-end. So it may be easy for an attacker to upload malicious scripts in the name of a respected plugin author.

Signing installers might mitigate the potential for modified installers, but it won't help with the plugins, so a secure download option and secure login should be supported.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Log in to post a comment.