On Aug 28, 2013, at 7:05 PM, Nick Coghlan <ncoghlan@gmail.com> wrote:
On 29 Aug 2013 03:17, "Trishank Karthik Kuppusamy" <tk47@students.poly.edu> wrote:
On 08/28/2013 12:09 PM, Christian Theune wrote:
Right. It doesn't add any security on its own, but it's a way that people can discover you're using SSL. :) I'll have to read up on how to do HSTS actually …
That was my next question. Does pip honour HSTS? I could be wrong, but I do not think so...
It's likely worth checking with Donald and Noah how the SSL enforcement on PyPI itself is set up. I believe the aim was just to ensure browsers are always using HTTPS, while switching other tools to SSL still requires client side updates.
Cheers, Nick.
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org http://mail.python.org/mailman/listinfo/distutils-sig
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org http://mail.python.org/mailman/listinfo/distutils-sig
pip does not respect HSTS. It would be somewhat nice if it did but the primary purpose of HSTS is to prevent against SSL downgrade attacks and users own error by entering http:// instead of https://. It's less important in a tool like pip where https should be hardcoded. It's use would essentially work to remove user error if they accidentally enter a http:// url instead of a https:// url (which isn't a bad thing). HTTP on PyPI always redirects idempotent methods to HTTPS and it includes HSTS but it does generally require client side updates to switch to HTTPS (in part because it requires client side updates to even validate SSL). What somebody else said that redirecting HTTP to HTTPS is a nice signal to users they should be using HTTPS but it doesn't actually protect users as someone in a MITM position can intercept the redirect and just return content instead. ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA