On 28. Aug2013, at 4:03 PM, Trishank Karthik Kuppusamy <t...@students.poly.edu> wrote:
> On 8/28/13 8:37 AM, Christian Theune wrote: >> >> I will also add a valid SSL certificate in the next minutes. What's your >> take on enforcing SSL e.g. via redirects? >> > > I am not an expert, but I guess this depends on who is enforcing the SSL > redirection. If someone untrusted can be a man-in-the-middle between your > clients and http://pypi.gocept.com, then this man-in-the-middle should be > able to redirect your HTTP-only clients anywhere else. Right. It doesn't add any security on its own, but it's a way that people can discover you're using SSL. :) I'll have to read up on how to do HSTS actually … > I would venture that the best thing to do, if feasible, is to get your > clients to point strictly to https://pypi.gocept.com and test that pip >= 1.3 > verifies the SSL connection. Right. Christian -- Christian Theune · gocept gmbh & co. kg flyingcircus.io · operations as a service Forsterstraße 29 · 06112 Halle (Saale) · Tel +49 345 1229889-7
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org http://mail.python.org/mailman/listinfo/distutils-sig
