[Catalog-sig] HTTPS now promoted on PyPI
Donald Stufft
donald.stufft at gmail.com
Tue Feb 19 14:27:17 CET 2013
On Tuesday, February 19, 2013 at 8:23 AM, Giovanni Bajo wrote:
> What is the benefits of redirects? I think they just hide potential problems, and they still can be exploited by MITM through ssl-stripping. Plus, they cause breakage and/or UX problems in existing tools.
>
>
If you do not redirect users to HTTPS you cannot set HSTS until they
manually visit a HTTPS url. The redirect allows an easy way to force
everyone to visit a HTTPS url immediately upon navigating to PyPI.
>
>
> Given that they give basically no security, I would suggest their removal until we fix all important issues in all third-party tools. For browsers, since you can still serve HSTS headers even without redirects, we can get it included in Chrome and Firefox builtin HSTS list.
HSTS can only be sent within a HTTPS response w/ a Valid SSL certificate, to
allow otherwise would allow MITM to effectively prevent a user from visiting
a site.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130219/5af3339b/attachment-0001.html>
More information about the Catalog-SIG
mailing list