Maven Central Enables SSL
Responding to concerns that hackers could upload rogue versions of common libraries to Maven Central, Sonatype, Inc. has released a new version that uses SSL connectivity by default. Sonatype VP of Product Management Brian Fox comments on the initiative and notes that Sonatype's commercial customers had been the first to start asking for SSL connectivity. He defends the "blindspot" that caused this issue to sustain for so long on the fact that since 2012 the company has only had 12 signups for SSL-enabled Nexus.
The issue of Maven operating in plaintext HTTP came to greater prominence when security consultant Max Veytsman released a blog post entitled "How to take over the computer of any Java (or Clojure or Scala) developer" last week. In the post, Veytsman highlights the vulnerability of Maven Central to the class of network attacks known as "Man in the Middle" attacks.
Sonatype responded and revealed that a project to fix the security hole for all users was already underway, and that the current plan is to have SSL support as the default option in CLM and Nexus by August 12th.
SSL connectivity for Maven Central was made available yesterday, and existing tools can be configured to use https://repo1.maven.org/maven2/ by default, and existing Maven users can create a settings.xml file that redefines 'central' to use https instead of http. More information is on the consumers page.
Is it enough?
Mike Amundsen May 29, 2015
Ben Linders May 28, 2015