[Catalog-sig] [PSF-Members] Howto Guide for MITM attacks on PyPI
Christian Heimes
christian at python.org
Mon Feb 4 13:23:58 CET 2013
Am 04.02.2013 13:22, schrieb Donald Stufft:
> On Monday, February 4, 2013 at 7:20 AM, Donald Stufft wrote:
>> There can be more work in the future in making a reasonable
>> end to end validation story possible however there are a few
>> clear and easy wins especially with related to getting a real
>> trusted SSL certificate paid for and installed and enforcing
>> SSL.
> I should probably note that both SSL and DNSSEC are steps
> taken by Crate.io to prevent MITM. Crate went so far as to
> contact Chrome and get crate.io added to the HSTS preload
> list in Chrome so that in Chrome it's impossible to ever
> access Crate w/o a valid SSL certificate.
+1 for HSTS
I wrote an email regarding HSTS to the infrastructure list about 15
minutes ago. It's good to see that you have the same opinion. :)
More information about the Catalog-SIG
mailing list