[pydotorg-www] [Infrastructure] Removed wiki attack banners
anatoly techtonik
techtonik at gmail.com
Thu Sep 5 21:58:46 CEST 2013
On Thu, Sep 5, 2013 at 7:06 PM, M.-A. Lemburg <mal at egenix.com> wrote:
> On 04.09.2013 22:26, M.-A. Lemburg wrote:
>> On 04.09.2013 22:16, M.-A. Lemburg wrote:
>>> On 03.09.2013 16:49, M.-A. Lemburg wrote:
>>>> Since the HTTPS redirect are now mostly working (there are still some
>>>> details to be worked out), I've removed the wiki banners about the
>>>> attack and instead added a section to the front pages of the Python
>>>> and Jython wikis.
>>>>
>>>> It's a good idea to change the passwords on the wikis now, since
>>>> clear text passwords are just too easy to sniff at conferences.
>>>
>>> Update: The HTTPS config changes have now been put in place and
>>>
>>> HSTS is now also enabled for the wikis:
>>>
>>> http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
>>>
>>> (allowing redirects to happen on the client side, if the browser
>>> supports HSTS)
>>
>> I've submitted an HSTS preload list entry request to Google for
>> inclusion in their list:
>>
>> https://sites.google.com/a/chromium.org/dev/sts
>> https://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json
>>
>> Firefox bases its list on Google's, so hopefully wiki.python.org
>> will end up there as well in a few weeks:
>>
>> http://blog.mozilla.org/security/2012/11/01/preloading-hsts/
>> https://wiki.mozilla.org/Privacy/Features/HSTS_Preload_List
>
> This is added now:
>
> http://src.chromium.org/viewvc/chrome?revision=221431&view=revision
>
> It'll appear in Chrome after the usual product development
> cycles. Not sure how often Mozilla updates their list.
>
> Donald: You might want to add pypi.python.org to the HSTS
> list as well.
All of the above is very good news indeed. =)
--
anatoly t.
More information about the pydotorg-www
mailing list