[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[scl.org] Fwd: [Distutils] Disabling non HTTPS access to APIs on PyPI



Hi folks,

I'm pretty sure that all the current Python SCLs are sufficiently up to date that they'll be accessing PyPI over HTTPS by default, but passing this notice along anyway: if you start getting access errors for PyPI, check to make sure you don't still have some HTTP URLs in your config settings.

Cheers,
Nick.

---------- Forwarded message ----------
From: Donald Stufft <donald stufft io>
Date: 27 October 2017 at 01:11
Subject: [Distutils] Disabling non HTTPS access to APIs on PyPI
To: Distutils <distutils-sig python org>


Historically PyPI was only available over either HTTP or unvalidated HTTPS, and over time we’ve been pushing more and more traffic onto HTTPS. In Warehouse the decision was made to *not* redirect “API” URLs from HTTP to HTTPS, but to rather return an error accessing them from HTTP. This is because while logged in views have HSTS to ensure HTTPS in the browser (and with humans manually entering them into the URL bar regularly they are more error prone) APIs which are typically accessed by automated clients with an URL configured or hardcoded typically do not respect HSTS, so if you had a script that did ``curl http://pypi.python.org/simple/``, it would silently get redirects to https and appear to “work”, but you wouldn’t get any of the security properties of TLS because an attacker would just intercept the request prior to the redirect happening.

Today I’ve backported this changed to the current production deployment of PyPI, which means that you can no longer access /simple/ and /packages/ over HTTP and you will have to directly go to HTTPS. For most people this should have no effect, because most tooling should be defaulting to HTTPS anyways, however if you’re using a significantly old version of tooling, it may still be defaulting to the HTTP url and will now stop functioning.

The recommended remediation is to upgrade your tooling to versions that support verified TLS connections and which default to the proper HTTPS URLs.

_______________________________________________
Distutils-SIG maillist  -  Distutils-SIG python org
https://mail.python.org/mailman/listinfo/distutils-sig




--
Nick Coghlan   |   ncoghlan gmail com   |   Brisbane, Australia

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]