[Distutils] PEP449 - Removal of the PyPI Mirror Auto Discovery and Naming Scheme
Donald Stufft
donald at stufft.io
Thu Aug 29 12:31:12 CEST 2013
On Aug 28, 2013, at 7:05 PM, Nick Coghlan <ncoghlan at gmail.com> wrote:
>
> On 29 Aug 2013 03:17, "Trishank Karthik Kuppusamy" <tk47 at students.poly.edu> wrote:
> >
> > On 08/28/2013 12:09 PM, Christian Theune wrote:
> > > Right. It doesn't add any security on its own, but it's a way that
> > > people can discover you're using SSL. :) I'll have to read up on how
> > > to do HSTS actually …
> >
> > That was my next question. Does pip honour HSTS? I could be wrong, but I
> > do not think so...
>
> It's likely worth checking with Donald and Noah how the SSL enforcement on PyPI itself is set up. I believe the aim was just to ensure browsers are always using HTTPS, while switching other tools to SSL still requires client side updates.
>
> Cheers,
> Nick.
>
> >
> >
> > _______________________________________________
> > Distutils-SIG maillist - Distutils-SIG at python.org
> > http://mail.python.org/mailman/listinfo/distutils-sig
> >
> _______________________________________________
> Distutils-SIG maillist - Distutils-SIG at python.org
> http://mail.python.org/mailman/listinfo/distutils-sig
pip does not respect HSTS. It would be somewhat nice if it did but the primary purpose
of HSTS is to prevent against SSL downgrade attacks and users own error by entering
http:// instead of https://. It's less important in a tool like pip where https should be
hardcoded. It's use would essentially work to remove user error if they accidentally enter
a http:// url instead of a https:// url (which isn't a bad thing).
HTTP on PyPI always redirects idempotent methods to HTTPS and it includes HSTS but
it does generally require client side updates to switch to HTTPS (in part because it
requires client side updates to even validate SSL).
What somebody else said that redirecting HTTP to HTTPS is a nice signal to users they
should be using HTTPS but it doesn't actually protect users as someone in a MITM position
can intercept the redirect and just return content instead.
-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130829/cc39d009/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130829/cc39d009/attachment.sig>
More information about the Distutils-SIG
mailing list