[Catalog-sig] HTTPS now promoted on PyPI

Giovanni Bajo rasky at develer.com
Tue Feb 19 14:35:21 CET 2013


Il giorno 19/feb/2013, alle ore 14:27, Donald Stufft <donald.stufft at gmail.com> ha scritto:

> On Tuesday, February 19, 2013 at 8:23 AM, Giovanni Bajo wrote:
>> What is the benefits of redirects? I think they just hide potential problems, and they still can be exploited by MITM through ssl-stripping. Plus, they cause breakage and/or UX problems in existing tools.
> If you do not redirect users to HTTPS you cannot set HSTS until they
> manually visit a HTTPS url. The redirect allows an easy way to force
> everyone to visit a HTTPS url immediately upon navigating to PyPI.

We have two different kind of users:
1) Browsers
2) Tools

For browsers, yes, redirect would be useful. For tools, not so much (in fact, it can give false security feeling).  This is also why I was proposing to apply for Chromium and Mozilla whitelists once HSTS is properly deployed (max-age > 6 months is needed to apply).

I would be OK with redirecting for browsers (matching the user agent for instance), but I would try to disable for tools as much as possible. 


>> Given that they give basically no security, I would suggest their removal until we fix all important issues in all third-party tools. For browsers, since you can still serve HSTS headers even without redirects, we can get it included in Chrome and Firefox builtin HSTS list.
> HSTS can only be sent within a HTTPS response w/ a Valid SSL certificate, to
> allow otherwise would allow MITM to effectively prevent a user from visiting
> a site.


If we get included in those whitelist, we technically won't need redirects (though it wouldn't hard to leave them in).
-- 
Giovanni Bajo   ::  rasky at develer.com
Develer S.r.l.  ::  http://www.develer.com

My Blog: http://giovanni.bajo.it



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130219/4233e787/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4346 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130219/4233e787/attachment.bin>


More information about the Catalog-SIG mailing list