[pydotorg-www] [Infrastructure] Removed wiki attack banners

anatoly techtonik techtonik at gmail.com
Thu Sep 5 21:58:46 CEST 2013

On Thu, Sep 5, 2013 at 7:06 PM, M.-A. Lemburg <mal at egenix.com> wrote:
> On 04.09.2013 22:26, M.-A. Lemburg wrote:
>> On 04.09.2013 22:16, M.-A. Lemburg wrote:
>>> On 03.09.2013 16:49, M.-A. Lemburg wrote:
>>>> Since the HTTPS redirect are now mostly working (there are still some
>>>> details to be worked out), I've removed the wiki banners about the
>>>> attack and instead added a section to the front pages of the Python
>>>> and Jython wikis.
>>>> It's a good idea to change the passwords on the wikis now, since
>>>> clear text passwords are just too easy to sniff at conferences.
>>> Update: The HTTPS config changes have now been put in place and
>>> HSTS is now also enabled for the wikis:
>>> http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
>>> (allowing redirects to happen on the client side, if the browser
>>> supports HSTS)
>> I've submitted an HSTS preload list entry request to Google for
>> inclusion in their list:
>> https://sites.google.com/a/chromium.org/dev/sts
>> https://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json
>> Firefox bases its list on Google's, so hopefully wiki.python.org
>> will end up there as well in a few weeks:
>> http://blog.mozilla.org/security/2012/11/01/preloading-hsts/
>> https://wiki.mozilla.org/Privacy/Features/HSTS_Preload_List
> This is added now:
> http://src.chromium.org/viewvc/chrome?revision=221431&view=revision
> It'll appear in Chrome after the usual product development
> cycles. Not sure how often Mozilla updates their list.
> Donald: You might want to add pypi.python.org to the HSTS
> list as well.

All of the above is very good news indeed. =)
anatoly t.

More information about the pydotorg-www mailing list