id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc
8863	plugin code downloading and updating is not secured (most importantly: authenticated) at all	pendluuum	team	"plugin downloading and updating is not secured at all ... at least it is not obvious to me if there is a check currently (e.g. gpg signature verification of downloaded plugin packages).

The plugin update URLs (the [http://josm.openstreetmap.de/plugin list] itself and the .jar URLs in the list) should be https by default (loading to-be-executed code over an unsecured connection is no  good idea/bad practise, greetings to NSA and the authorities in China) and the self-signed JOSM certificate be accepted by hardcoding a whitelist exception for it it in the JOSM code. 

The plugin URLs seem to always point to svn.openstreetmap.org which currently does not seem to support https - that is to be fixed upstream first.

If downloading via https fails for some reason (maybe a new certificate was issued after the JOSM version was released) a dialog should offer to download via unsecured http (selections: ""this time only"" or ""everytime""). This (""everytime"") setting should be accessible via a checkbox in Settings/plugins/""edit plugin sources"". There also should be checkboxes (checked per default) named ""accept the josm.openstreetmap.de certificate (SHA1 …FD:61:3d)"" and ""accept the svn.openstreetmap.de certificate (SHA1 …xx:xx:xx)"".

If all of that is regarded as not relevant by the JOSM programmers then at least the user of JOSM plugins should be informed about that insecure practice when he first downloads a plugin."	enhancement	closed	normal		Core	tested	duplicate	security https