[Catalog-sig] [PSF-Members] Howto Guide for MITM attacks on PyPI

Donald Stufft donald.stufft at gmail.com
Mon Feb 4 14:35:22 CET 2013


On Monday, February 4, 2013 at 8:31 AM, Giovanni Bajo wrote:
> Not that I'm against it doing it on the server side for now, anyway. It'll still be useful to users manually browsing to PyPI.

This is where it's important. If you're capable of MITM'ing pip you're capable of MITM'ing a web browser. It would not be a fun day if a password (or session cookie) got stolen via a MITM because someone signed on in a coffee shop (or at Pycon etc). 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130204/861dd8d3/attachment.html>


More information about the Catalog-SIG mailing list