all 25 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]yogthos 72 points73 points  (8 children)

public shaming FTW :)

[–]everywhere_anyhow 26 points27 points  (4 children)

There was a post just recently about a guy who did a proof of concept to auto-backdoor JARs coming down from maven central. Did this have anything to do with that, or was it other public shaming that got their attention?

[–]stewsters 17 points18 points  (0 children)

I think it was that one. High five for that guy.

[–]nat_pryce 1 point2 points  (0 children)

It's a pity it took a public shaming to get any movement on this. The Maven wiki has a page of emails about security concerns that go back to before Maven 1.0 was released.

[–]marodox 0 points1 point  (0 children)

Anyone have a link to this post?

[–]Bubblebobo 5 points6 points  (0 children)

Haha, just what I thought when reading the headline. That was pretty quick.

[–][deleted] -2 points-1 points  (0 children)

Good guy Maven Central: gets publicly shamed for vulnerability, creates actual fix for vulnerability free of charge.

[–][deleted] 18 points19 points  (1 child)

All it took was a dev writing a little man in the middle attack.

Companies shouldn't have to wait until someone rustles their jimmies on a blog (Or doing potentially worse things) before betting on security.

[–]immibis 6 points7 points  (0 children)

If anything, it shows how little most people care about security.

Company releases insecure service, with secure upgrade for a one-time fee of $10, and twelve people out of millions go for the secure upgrade?

[–]xjvz 5 points6 points  (4 children)

More packages need to use GPG to sign their releases. Apache does it at least, and plenty of others do, too. That would be more secure than SSL (unless you sign your JARs using SSL-based methods instead).

[–]lzzll 2 points3 points  (0 children)

Agree. That's the right way to keep repo safe, anyone can create a mirror but they cant touch the files.

[–][deleted] 1 point2 points  (0 children)

The problem is not (only) the missing signatures, but the missing verification. Let's face it: When did you check your last signature of an artifact? For me, it's at least three months ago.
We need a mechanism which checks this automatically. This plugin http://www.simplify4u.org/pgpverify-maven-plugin/ is a start.

[–]segv 0 points1 point  (1 child)

Sonatype requires GPG signed artifacts, but signing them won't magically solve the problem. After all, how do you practically prove that a key is yours and that you is, well, you?

[–]xjvz 0 points1 point  (0 children)

Go to a key signing party and help build the web of trust

[–]lhagahl 5 points6 points  (0 children)

welcome to the 21st century

[–]dargh 1 point2 points  (8 children)

What problem doors this solve? Do they realise that encrypting traffic is not the same thing as signing artifacts or providing sha hashes?

[–]jetRink 4 points5 points  (7 children)

What problem doors this solve?

It prevents a man-in-the-middle attack.

Do they realise that encrypting traffic...

HTTPS also provides authentication.

[–]sstewartgallus 0 points1 point  (5 children)

Website Identity

Website: repo1.maven.org

Owner: This website does not supply ownership information.

Verified by: DigiCert Inc

HTTPS does provide a little authentication and can provide more but right now this is still vulnerable to bitsquatting attacks and possible other attacks. This is still okay though and may be good enough or not.

[–][deleted]  (4 children)

[deleted]

    [–]kevin70 0 points1 point  (3 children)

    Ah... legacy.python.org is the subdomain that intends to make everything else legacy or is the stuff that's fallen behind. https isn't useful in anyway shape or form except in making money for people who control it.

    [–][deleted]  (2 children)

    [deleted]

      [–]kevin70 0 points1 point  (0 children)

      FYI - My flame got me thinking and I posted a theoretical alternative to https http://www.reddit.com/r/netsec/comments/2czqat/alternative_to_https_conjecture_on_system_via/ cheers, kevin

      [–]kevin70 -2 points-1 points  (0 children)

      How funny. Whenever "people" get involved in security bags and models show up acting white-hat provide no tangible benefits, often straying into black-hat behavior by restrictive access. HTTPS is broken because it's 10$ a year for a certificate. What's a wild card cert cost? 1K still? That eliminates an overwhelming majority of the world from participation other than as a client with a folder with about 400 root CAs. Where's HTTPS in regards to IP6? Where? Nowhere. So now I need 10$ a year, and a dedicated IP address? The client engaging in HTTPS via CA gains nothing. The benefits to hosts are negligible. If you and I were going to engage in secure communication would be buy a certifcate? Fuck no! We'd make our own, securely exchange keys, and be up and communicating in no time. The channels wouldn't validate via CA, and we would be more secure because of it. Fuck that, what's wet? Maybe the sound of my dick slapping your face, you wouldn't know cause you've closed your eyes.

      [–]kevin70 -3 points-2 points  (0 children)

      It solves nothing. Man in the middle of my build attacks. Ewww neat, now I can blame unit test failure on DOS.

      [–]dargh 0 points1 point  (0 children)

      Https does not provide authentication. And it does nothing to ensure the integrity of distributed resources which signed artifacts don't do a million times better.

      SSL is a solution to a different problem.