BT
x Your opinion matters! Please fill in the InfoQ Survey about your reading habits!

Maven Central Enables SSL

by Ben Evans on Aug 04, 2014 |

Responding to concerns that hackers could upload rogue versions of common libraries to Maven Central, Sonatype, Inc. has released a new version that uses SSL connectivity by default. Sonatype VP of Product Management Brian Fox comments on the initiative and notes that Sonatype's commercial customers had been the first to start asking for SSL connectivity. He defends the "blindspot" that caused this issue to sustain for so long on the fact that since 2012 the company has only had 12 signups for SSL-enabled Nexus.

The issue of Maven operating in plaintext HTTP came to greater prominence when security consultant Max Veytsman released a blog post entitled "How to take over the computer of any Java (or Clojure or Scala) developer" last week. In the post, Veytsman highlights the vulnerability of Maven Central to the class of network attacks known as "Man in the Middle" attacks.

Sonatype responded and revealed that a project to fix the security hole for all users was already underway, and that the current plan is to have SSL support as the default option in CLM and Nexus by August 12th.

SSL connectivity for Maven Central was made available yesterday, and existing tools can be configured to use https://repo1.maven.org/maven2/ by default, and existing Maven users can create a settings.xml file that redefines 'central' to use https instead of http. More information is on the consumers page.

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Is it enough? by Baruch Sadogursky

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

1 Discuss

Educational Content

General Feedback
Bugs
Advertising
Editorial
InfoQ.com and all content copyright © 2006-2014 C4Media Inc. InfoQ.com hosted at Contegix, the best ISP we've ever worked with.
Privacy policy
BT