BT

Your opinion matters! Please fill in the InfoQ Survey!

Maven Central Enables SSL

| by Ben Evans Follow 13 Followers on Aug 04, 2014. Estimated reading time: 1 minute |

A note to our readers: As per your request we have developed a set of features that allow you to reduce the noise, while not losing sight of anything that is important. Get email and web notifications by choosing the topics you are interested in.

Responding to concerns that hackers could upload rogue versions of common libraries to Maven Central, Sonatype, Inc. has released a new version that uses SSL connectivity by default. Sonatype VP of Product Management Brian Fox comments on the initiative and notes that Sonatype's commercial customers had been the first to start asking for SSL connectivity. He defends the "blindspot" that caused this issue to sustain for so long on the fact that since 2012 the company has only had 12 signups for SSL-enabled Nexus.

The issue of Maven operating in plaintext HTTP came to greater prominence when security consultant Max Veytsman released a blog post entitled "How to take over the computer of any Java (or Clojure or Scala) developer" last week. In the post, Veytsman highlights the vulnerability of Maven Central to the class of network attacks known as "Man in the Middle" attacks.

Sonatype responded and revealed that a project to fix the security hole for all users was already underway, and that the current plan is to have SSL support as the default option in CLM and Nexus by August 12th.

SSL connectivity for Maven Central was made available yesterday, and existing tools can be configured to use https://repo1.maven.org/maven2/ by default, and existing Maven users can create a settings.xml file that redefines 'central' to use https instead of http. More information is on the consumers page.

Rate this Article

Adoption Stage
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Is it enough? by Baruch Sadogursky

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

1 Discuss

Login to InfoQ to interact with what matters most to you.


Recover your password...

Follow

Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.

Like

More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.

Notifications

Stay up-to-date

Set up your notifications and don't miss out on content that matters to you

BT