Community
Participate
Working Groups
This is a follow up of bug 444350 comment 21: Hi Eclipse Team, I'm reaching out asking for your support on the initiative to formally deprecate the download of dependencies over HTTP by January 15th, 2020. The full scope of my research is captured in this article I published on June 10th titled 'Want to take over the Java ecosystem? All you need is a MITM!' https://medium.com/bugbountywriteup/want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-1fc329d898fb?source=friends_link&sk=3c99970c55a899ad9ef41f126efcde0e As a part of this research project I reached out to some of the most used artifact server owners in our industry: Sonatype of Maven Central, Pivotal of Spring, RedHat, and JFrog of JCenter bintray. I discussed with them that one way to resolve this issue is to shut down the HTTP (port 80) endpoint, thus breaking insecure builds that could be maliciously compromised. Sonatype agreed to this and will moving forward with the depreciation on January 15th, 2020. https://central.sonatype.org/articles/2019/Apr/30/http-access-to-repo1mavenorg-and-repomavenapacheorg-is-being-deprecated/ JFrog has also agreed to also do this, as has Pivotal. I would appreciate it if the Eclipse Foundation followed the rest of the industry in this initiative and formally deprecated the HTTP port for download.eclipse.org and any/all other artifact servers operated by the Eclipse Foundation. If the Eclipse foundation will publish a blog post about joining this initiative, I'm happy to include a link to it in the Gradle 6.0 release notes.
+1 let's make it happen.
Hi Dennis & Gunnar! This is awesome! If you could try to publish a blog post about this change in the 7 days I'd like to include this in the Gradle 6.0 release notes. Otherwise, I'm happy to just link to this issue. Cheers, Jonathan Leitschuh
For reference, here's JFrog's announcement: https://jfrog.com/blog/secure-jcenter-with-https/
Not sure about the impact of turning off port 80 altogether...
(In reply to Denis Roy from comment #4) > Not sure about the impact of turning off port 80 altogether... I think it requires a transition phase but eventually should happen. You don't have to do it right now but with a timeline (eg. by March 2020), why not?
Yup, I'll start floating this out.
From a PR perspective, I believe it may be best if everyone did this in a coordinated fashion. It will help keep anyone org from experiencing too much PR blowback at any given time. You could consider following the JFrog model and start redirecting users starting October or November 1st. I'm keeping a Gist current with all of the various announcements from all of the teams and their timelines. I'll update this as I get more blog announcements posted. https://gist.github.com/JLLeitschuh/789e49e3d34092a005031a0a1880af99 My disclose has been out since June. It had over 16k readers. At this point, this well past being an 0day vulnerability here.
Hi Eclipse Team, The blog post for Gradle was just published last Friday: https://blog.gradle.org/decommissioning-http If you have an announcement as well, I'm happy to update our blog to reference it as well. Cheers, Jonathan
In combination with this issue, please also resolve: repo.eclipse.org does not support TLS 1.1/1.2/1.3 https://bugs.eclipse.org/bugs/show_bug.cgi?id=559061
I think we can declare success here.
> I think we can declare success here. Sorry, from a spot-check, you can't. http://repo.eclipse.org redirects to https://repo.eclipse.org This isn't a fix. Simply redirecting still allows for a downgrade attack. repo.eclipse.org shouldn't support HTTP at all. It should throw an error when you try to connect under that protocol.
