[Catalog-sig] HTTPS now promoted on PyPI
Giovanni Bajo
rasky at develer.com
Tue Feb 19 14:48:58 CET 2013
Il giorno 19/feb/2013, alle ore 14:43, Donald Stufft <donald.stufft at gmail.com> ha scritto:
> On Tuesday, February 19, 2013 at 8:35 AM, Giovanni Bajo wrote:
>> We have two different kind of users:
>> 1) Browsers
>> 2) Tools
>>
>> For browsers, yes, redirect would be useful. For tools, not so much (in fact, it can give false security feeling). This is also why I was proposing to apply for Chromium and Mozilla whitelists once HSTS is properly deployed (max-age > 6 months is needed to apply).
>>
>> I would be OK with redirecting for browsers (matching the user agent for instance), but I would try to disable for tools as much as possible.
> The redirect only occurs on GET/HEAD, either the tools are using POST and won't be affected,
> or they're using GET and the stdlib should handle the redirect automatically. Even without verification
> of a SSL cert you still get some protection from passive attacks.
Passwords are transmitted in POST that don't get redirected. What kind of passive attacks are you thinking of?
> I also reject the idea that it will give a false security feeling as most people won't
> even realize they are being redirected to SSL in a tool.
I'm thinking of installation tools that print the current URL on the console, like pip and easy_install do.
--
Giovanni Bajo :: rasky at develer.com
Develer S.r.l. :: http://www.develer.com
My Blog: http://giovanni.bajo.it
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130219/f3d98c4d/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4346 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130219/f3d98c4d/attachment.bin>
More information about the Catalog-SIG
mailing list