[Catalog-sig] HTTPS now promoted on PyPI
Donald Stufft
donald.stufft at gmail.com
Tue Feb 19 14:43:21 CET 2013
On Tuesday, February 19, 2013 at 8:35 AM, Giovanni Bajo wrote:
> We have two different kind of users:
> 1) Browsers
> 2) Tools
>
> For browsers, yes, redirect would be useful. For tools, not so much (in fact, it can give false security feeling). This is also why I was proposing to apply for Chromium and Mozilla whitelists once HSTS is properly deployed (max-age > 6 months is needed to apply).
>
> I would be OK with redirecting for browsers (matching the user agent for instance), but I would try to disable for tools as much as possible.
The redirect only occurs on GET/HEAD, either the tools are using POST and won't be affected,
or they're using GET and the stdlib should handle the redirect automatically. Even without verification
of a SSL cert you still get some protection from passive attacks.
I also reject the idea that it will give a false security feeling as most people won't
even realize they are being redirected to SSL in a tool.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130219/f6472a6b/attachment-0001.html>
More information about the Catalog-SIG
mailing list