Announcing nohttp

Engineering
Rob Winch
June 10, 2019

I’m pleased to announce the nohttp project, which lets users find, replace, and prevent the usage of http://.
Background

Today, Jonathan Leitschuh published a blog titled Want to take over the Java ecosystem? All you need is a MITM!. The blog demonstrates that hundreds of Java libraries are downloading dependencies over HTTP. This opens the projects up to potential MITM (man in the middle) attacks.

Unfortunately, there were multiple Spring projects that were using HTTP to download dependencies. Fortunately, we uncovered no signs of a successful MITM attack. We have also addressed the issue to ensure that no MITM attacks can be made in the future.
Spring Team Reaction

The Spring Team takes security very seriously. Since discovering that there were Spring projects downloading dependencies over HTTP, we have taken measures to ensure that a MITM attack cannot happen in the future. The most obvious change is to update Maven repository locations to use HTTPS. However, we have taken this much further by switching to using HTTPS (almost) everywhere.

It is 2019, so, hopefully, it is apparent why we want to remove the usage of HTTP. Using HTTPS is fast, simple, and available for free, so there are no excuses for continuing to use HTTP. As developers, it is important that we help the world transition to use HTTPS everywhere (even static sites need HTTPS).

We certainly are not the only ones trying to eliminate HTTP usage. Let’s Encrypt was formed to make HTTPS free, automated, and open. Chrome has updated its UI to indicate that HTTP is insecure. Maven Central has deprecated the use of HTTP. The list goes on.
Replacing HTTP with HTTPS

The Spring team has gone to great lengths to update all of our URLs to use HTTPS. This includes everything from our Maven repository URLs, to Apache License, to documentation links. There are some instances where using HTTPS was not possible. For example, some sites we link to do not support HTTPS, XML namespace identifiers must match the identifier in the document, and so on.
HTTPS XML Locations through the Classpath

In our efforts to eliminate HTTP usage, Spring Framework has been updated to resolve XML locations that use HTTPS locations through the classpath. Previously, this was only done for URLs that used HTTP. Consider the following XML configuration:

The https://www.springframework.org/schema/beans/spring-beans.xsd URL is resolved through the classpath instead of requiring a network connection.

Notice that the XML namespace name, which is an identifier, cannot be changed to use HTTPS. This is not ideal from the perspective of being able to put security controls in place, but the name is never requested over a network, so it poses little harm to users.
Infrastructure Updates

The Spring team has updated all our hosts to ensure that HTTPS is being used. Each site supports HTTPS, redirects to HTTPS, and uses Strict Transport Security.

A potential MITM means that our build infrastructure could have been compromised. In response to this, we repaved all of our build infrastructure and rotated all of our credentials.
New Security Controls

While it is important to react to a security incident, it is also important to put security controls in place to ensure the problem does not happen again.

We have updated our build boxes to block HTTP traffic to ensure that this cannot happen again. To protect developers and our users, we have created the nohttp project. This project can be used to find, replace, and prevent http:// usage while being pragmatic about allowing URLs that cannot change (such as XML namespace names). For additional details, refer to the project’s site.
Join Us

We hope that you will join the revolution to help eliminate the usage of HTTP.
comments powered by Disqus

translate：
翻译：

我很高兴宣布宣布nohttp项目，该项目使用户可以查找，替换和阻止使用http：//。
背景

今天，乔纳森·莱特舒（Jonathan Leitschuh）发布了一个名为“想要接管Java生态系统吗？”的博客。您只需要一个MITM!。该博客演示了数百个Java库正在通过HTTP下载依赖项。这使项目容易受到潜在的MITM（中间人）攻击。

不幸的是，有多个使用HTTP下载依赖项的Spring项目。幸运的是，我们没有发现成功进行MITM攻击的迹象。我们还解决了该问题，以确保将来无法进行MITM攻击。
春季队反应

Spring团队非常重视安全性。自从发现有Spring项目通过HTTP下载依赖项以来，我们已采取措施确保将来不会发生MITM攻击。最明显的变化是将Maven存储库位置更新为使用HTTPS。但是，我们在几乎所有地方都切换为使用HTTPS，从而使这一步变得更远。

现在是2019年，因此，很明显，我们为什么要删除HTTP的使用是显而易见的。使用HTTPS快速，简单并且免费提供，因此没有任何借口继续使用HTTP。作为开发人员，重要的是我们帮助世界过渡到在任何地方都使用HTTPS（甚至静态站点也需要HTTPS）。

我们当然不是唯一尝试消除HTTP使用的人。 Let’s Encrypt的成立是为了使HTTPS免费，自动化和开放。 Chrome已更新其用户界面，以指示HTTP不安全。 Maven Central已弃用HTTP。清单继续。
用HTTPS替换HTTP

Spring团队竭尽全力更新所有URL以使用HTTPS。这包括从我们的Maven存储库URL，Apache许可证到文档链接的所有内容。在某些情况下，无法使用HTTPS。例如，我们链接到的某些站点不支持HTTPS，XML名称空间标识符必须与文档中的标识符匹配，依此类推。
通过类路径的HTTPS XML位置

为了消除HTTP使用，对Spring Framework进行了更新，以解析通过类路径使用HTTPS位置的XML位置。以前，仅对使用HTTP的URL执行此操作。考虑以下XML配置：