Announcing nohttp

Engineering
Rob Winch
June 10, 2019

I’m pleased to announce the nohttp project, which lets users find, replace, and prevent the usage of http://.
Background

Today, Jonathan Leitschuh published a blog titled Want to take over the Java ecosystem? All you need is a MITM!. The blog demonstrates that hundreds of Java libraries are downloading dependencies over HTTP. This opens the projects up to potential MITM (man in the middle) attacks.

Unfortunately, there were multiple Spring projects that were using HTTP to download dependencies. Fortunately, we uncovered no signs of a successful MITM attack. We have also addressed the issue to ensure that no MITM attacks can be made in the future.
Spring Team Reaction

The Spring Team takes security very seriously. Since discovering that there were Spring projects downloading dependencies over HTTP, we have taken measures to ensure that a MITM attack cannot happen in the future. The most obvious change is to update Maven repository locations to use HTTPS. However, we have taken this much further by switching to using HTTPS (almost) everywhere.

It is 2019, so, hopefully, it is apparent why we want to remove the usage of HTTP. Using HTTPS is fast, simple, and available for free, so there are no excuses for continuing to use HTTP. As developers, it is important that we help the world transition to use HTTPS everywhere (even static sites need HTTPS).

We certainly are not the only ones trying to eliminate HTTP usage. Let’s Encrypt was formed to make HTTPS free, automated, and open. Chrome has updated its UI to indicate that HTTP is insecure. Maven Central has deprecated the use of HTTP. The list goes on.
Replacing HTTP with HTTPS

The Spring team has gone to great lengths to update all of our URLs to use HTTPS. This includes everything from our Maven repository URLs, to Apache License, to documentation links. There are some instances where using HTTPS was not possible. For example, some sites we link to do not support HTTPS, XML namespace identifiers must match the identifier in the document, and so on.
HTTPS XML Locations through the Classpath

In our efforts to eliminate HTTP usage, Spring Framework has been updated to resolve XML locations that use HTTPS locations through the classpath. Previously, this was only done for URLs that used HTTP. Consider the following XML configuration:

<?xml version="1.0" encoding="UTF-8"?>

The https://www.springframework.org/schema/beans/spring-beans.xsd URL is resolved through the classpath instead of requiring a network connection.

Notice that the XML namespace name, which is an identifier, cannot be changed to use HTTPS. This is not ideal from the perspective of being able to put security controls in place, but the name is never requested over a network, so it poses little harm to users.
Infrastructure Updates

The Spring team has updated all our hosts to ensure that HTTPS is being used. Each site supports HTTPS, redirects to HTTPS, and uses Strict Transport Security.

A potential MITM means that our build infrastructure could have been compromised. In response to this, we repaved all of our build infrastructure and rotated all of our credentials.
New Security Controls

While it is important to react to a security incident, it is also important to put security controls in place to ensure the problem does not happen again.

We have updated our build boxes to block HTTP traffic to ensure that this cannot happen again. To protect developers and our users, we have created the nohttp project. This project can be used to find, replace, and prevent http:// usage while being pragmatic about allowing URLs that cannot change (such as XML namespace names). For additional details, refer to the project’s site.
Join Us

We hope that you will join the revolution to help eliminate the usage of HTTP.
comments powered by Disqus

translate：
翻译：

我很高兴宣布宣布nohttp项目，该项目使用户可以查找，替换和阻止使用http：//。
背景

今天，乔纳森·莱特舒（Jonathan Leitschuh）发布了一个名为“想要接管Java生态系统吗？”的博客。您只需要一个MITM!。该博客演示了数百个Java库正在通过HTTP下载依赖项。这使项目容易受到潜在的MITM（中间人）攻击。

不幸的是，有多个使用HTTP下载依赖项的Spring项目。幸运的是，我们没有发现成功进行MITM攻击的迹象。我们还解决了该问题，以确保将来无法进行MITM攻击。
春季队反应

Spring团队非常重视安全性。自从发现有Spring项目通过HTTP下载依赖项以来，我们已采取措施确保将来不会发生MITM攻击。最明显的变化是将Maven存储库位置更新为使用HTTPS。但是，我们在几乎所有地方都切换为使用HTTPS，从而使这一步变得更远。

现在是2019年，因此，很明显，我们为什么要删除HTTP的使用是显而易见的。使用HTTPS快速，简单并且免费提供，因此没有任何借口继续使用HTTP。作为开发人员，重要的是我们帮助世界过渡到在任何地方都使用HTTPS（甚至静态站点也需要HTTPS）。

我们当然不是唯一尝试消除HTTP使用的人。 Let’s Encrypt的成立是为了使HTTPS免费，自动化和开放。 Chrome已更新其用户界面，以指示HTTP不安全。 Maven Central已弃用HTTP。清单继续。
用HTTPS替换HTTP

Spring团队竭尽全力更新所有URL以使用HTTPS。这包括从我们的Maven存储库URL，Apache许可证到文档链接的所有内容。在某些情况下，无法使用HTTPS。例如，我们链接到的某些站点不支持HTTPS，XML名称空间标识符必须与文档中的标识符匹配，依此类推。
通过类路径的HTTPS XML位置

为了消除HTTP使用，对Spring Framework进行了更新，以解析通过类路径使用HTTPS位置的XML位置。以前，仅对使用HTTP的URL执行此操作。考虑以下XML配置：

Announcing nohttp相关推荐

厉害了，为了干掉 HTTP ，Spring团队又开源 nohttp 项目！
点击上方"方志朋",选择"设为星标" 回复"666"获取新整理的面试资料来源:http://t.cn/AilfwWQg Spring 团队 ...
Android如何使用NoHttp
NoHttp 源码及Demo托管在Github欢迎大家Star: https://github.com/yanzhenjie/NoHttp NoHttp是专门做Android网络请求与下载的框架. N ...
框架--NoHttp和OkHttp哪个好用，Volley和NoHttp哪个好用？
NoHttp和OkHttp哪个好用,Volley和NoHttp哪个好用? NoHttp 源码及Demo托管在Github欢迎大家Star: https://github.com/Y0LANDA/NoH ...
NoHttp使用简析——Android网络请求框架（二）
题记-- 静坐窗前,与明月为伴. 每一天都是一个新的开始,每一天都是一个新的心态,每一天的目标都是品好每一杯白开水. 生活的价值是活的有意义,而活的有意义就是生命的折腾. 在功夫的世界中,唯快不破,在 ...
nohttp网络框架
作者的博客地址:https://github.com/yanzhenjie Android Http 网络请求框架,封装于 NoHttp. Android实现Http标准协议框架,支持多种缓存模式,底 ...
java.lang.NoClassDefFoundError: com.yolanda.nohttp.NoHttp
菜鸟记录一些文档,只作为参考用,用于和大家分享: 在android中出现 09-02 14:15:22.554: E/AndroidRuntime(2836): FATAL EXCEPTION: ma ...
NoHttp的学习使用
NoHttp一个有情怀的框架我们日常生活中常用的App,包括我们开发者平常的开发中,有90%以上的App都用了Http来和服务器做交互.随着Android6.0开始AndroidSDK中删除了Htt ...
流行的框架Nohttp到来，让我们见证封装好的Nohttp详细使用步骤吧
1.步骤一:在app/build.gradle文件中导入依赖库 compile 'com.yolanda.nohttp:nohttp:1.1.0' 2.步骤二:创建一个类,名字叫做NohttpUtil ...
NoHttp详解之NoHttp最原生使用（无封装）
参考博客: 点击打开链接 NoHttp详细文档:http://doc.nohttp.net NoHttp公益测试接口:http://api.nohttp.net https://github. ...

Announcing nohttp

Announcing nohttp相关推荐

最新文章

热门文章