On Aug 28, 2013, at 7:05 PM, Nick Coghlan <ncoghlan@gmail.com> wrote:


On 29 Aug 2013 03:17, "Trishank Karthik Kuppusamy" <tk47@students.poly.edu> wrote:
>
> On 08/28/2013 12:09 PM, Christian Theune wrote:
> > Right. It doesn't add any security on its own, but it's a way that
> > people can discover you're using SSL. :) I'll have to read up on how
> > to do HSTS actually …
>
> That was my next question. Does pip honour HSTS? I could be wrong, but I
> do not think so...

It's likely worth checking with Donald and Noah how the SSL enforcement on PyPI itself is set up. I believe the aim was just to ensure browsers are always using HTTPS, while switching other tools to SSL still requires client side updates.

Cheers,
Nick.

>
>
> _______________________________________________
> Distutils-SIG maillist  -  Distutils-SIG@python.org
> http://mail.python.org/mailman/listinfo/distutils-sig
>

_______________________________________________
Distutils-SIG maillist  -  Distutils-SIG@python.org
http://mail.python.org/mailman/listinfo/distutils-sig

pip does not respect HSTS. It would be somewhat nice if it did but the primary purpose
of HSTS is to prevent against SSL downgrade attacks and users own error by entering
http:// instead of https://. It's less important in a tool like pip where https should be
hardcoded. It's use would essentially work to remove user error if they accidentally enter
a http:// url instead of a https:// url (which isn't a bad thing).

HTTP on PyPI always redirects idempotent methods to HTTPS and it includes HSTS but
it does generally require client side updates to switch to HTTPS (in part because it
requires client side updates to even validate SSL).

What somebody else said that redirecting HTTP to HTTPS is a nice signal to users they
should be using HTTPS but it doesn't actually protect users as someone in a MITM position
can intercept the redirect and just return content instead.

-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA