Il giorno 04/feb/2013, alle ore 13:23, Christian Heimes <[email protected]> ha scritto:
> Am 04.02.2013 13:22, schrieb Donald Stufft: >> On Monday, February 4, 2013 at 7:20 AM, Donald Stufft wrote: >>> There can be more work in the future in making a reasonable >>> end to end validation story possible however there are a few >>> clear and easy wins especially with related to getting a real >>> trusted SSL certificate paid for and installed and enforcing >>> SSL. >> I should probably note that both SSL and DNSSEC are steps >> taken by Crate.io to prevent MITM. Crate went so far as to >> contact Chrome and get crate.io added to the HSTS preload >> list in Chrome so that in Chrome it's impossible to ever >> access Crate w/o a valid SSL certificate. > > +1 for HSTS > > I wrote an email regarding HSTS to the infrastructure list about 15 > minutes ago. It's good to see that you have the same opinion. :) HSTS isn't useful for the issue at hand (securing MITM attacks against pip) unless it's also implemented in Python's http library. A full HSTS implementation might be complicated (requires a user-specific storage), but you can obtain the same result by hard-coding the https PyPI url in pip's source code, and either disabling HTTP redirections, or making sure redirections don't go through a non-SSL endpoint (which, btw, it means you can't check the final peer hostname; you need to check every intermediate redirect step). Not that I'm against it doing it on the server side for now, anyway. It'll still be useful to users manually browsing to PyPI. -- Giovanni Bajo :: [email protected] Develer S.r.l. :: http://www.develer.com My Blog: http://giovanni.bajo.it
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
