Spring's nohttp Manifesto: eliminate http://

Jiedao jdon 2021-05-03 19:18:03
spring nohttp manifesto eliminate http

I'm glad to announce nohttp project , Look for any way to try to completely replace http:// Use .


today ,Jonathan Leitschuh Published a piece called “  Want to take over Java The ecological system  ” The blog of [url=https://medium.com/@jonathan.leitschuh/want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-1fc329d898fb] All you need is a MITM![/url]. The blog demonstrates hundreds of Java The library is going through HTTP Download dependencies . This will lead to potential MITM( A middleman ) attack .

Unfortunately , There are many. Spring Project use HTTP To download dependencies . Fortunately, , We didn't find MITM Signs of a successful attack . We also solved this problem , To make sure it doesn't happen in the future MITM attack .

Spring Team reaction

Spring Team Great emphasis on security . Due to the discovery of Spring The project by HTTP Download dependencies , We have taken steps to ensure that it will not happen in the future MITM attack . The most obvious change is to update Maven Repository location to use HTTPS. however , We switch to using it all over the place HTTPS( almost ) To take this step further .

Now it is 2019 year , We need to be sure to delete it HTTP Use ! Use HTTPS  Fast , Simple And Free supply , There is no reason to continue to use HTTP! As a developer , It's important that we help the world transition to use... Everywhere HTTPS( even to the extent that Static sites need HTTPS).

We are certainly not the only ones trying to eliminate HTTP People who use . We To form the encryption , send HTTPS free , Automation and openness .Chrome It has been updated UI To indicate that HTTP unsafe .Maven Central Have been abandoned HTTP. The list goes on .

use HTTPS Replace HTTP

Spring The team did their best to update all URL To use the HTTPS. This includes from Maven The repository URL To Apache All content linked from license to document . In some cases , Can't use HTTPS. for example , Some of the sites we link to don't support HTTPS,XML The namespace identifier must match the identifier in the document , And so on .

adopt Classpath Of HTTPS XML Location

Before we eliminate HTTP In the effort to use ,Spring Framework  Has been updated , To parse through classpath using HTTPS Positional XML Location . before , This only applies to the use of HTTP Of URL. Please consider the following XML To configure :

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"

https://www.springframework.org/schema/beans/spring-beans.xsdURL Through classpath , Without the need for a network connection .

Please note that ,XML Namespace name ( identifier ) Cannot change to use HTTPS. From being able to implement safety control From the perspective of , It's not ideal , But never ask for a name over the network , So there's almost no harm to users .

Infrastructure renewal

Spring The team has updated all hosts to ensure that HTTPS. Every site supports HTTPS, Redirect to HTTPS, And use Strict transmission security .

Potential MITM It means that our building infrastructure may have been compromised . So , We rebuilt all the build infrastructure and rotated all the credentials .

New security controls

Although it's important to respond to security incidents , but Safety control measures It's also important to be in place , To make sure it doesn't happen again .

We updated the build box to prevent HTTP Traffic , To make sure it doesn't happen again . To protect developers and users , We created nohttp project . This item can be used to refer to , Replace and block http:// Use , At the same time, pragmatism allows unchangeable URL( for example XML Namespace name ). For other details , See the project's site .

本文为[Jiedao jdon]所创,转载请带上原文链接,感谢

  1. CSS layout
  2. Application scenario explanation of Vue dynamic component
  3. Redux learning notes 04 -- using multiple reducers to manage data
  4. After three months of typescript writing, what have I learned?
  5. Node family - what is a callback?
  6. React -- a simple implementation of render & create element
  7. JS learning simple usage of jquery
  8. Seamless love
  9. 小白前端入门笔记(12),设置哑链接
  10. Small white front-end entry notes (12), set dumb links
  11. Vue2. X opens composition API and TSX
  12. Interview record and thinking of social recruitment for one and a half years (Alibaba, Tencent, baidu offer)
  13. Flex learning notes
  14. The most essential closure article in the eastern hemisphere
  15. 2021-05-03 hot news
  16. Sword finger offer -- reverse order pair in array (JS Implementation)
  17. Working process of scaffold
  18. Use decorator mode to strengthen your fetch
  19. [JS] scope (Introduction)
  20. Employment information statistics network (interface document)
  21. Analysis of MVC
  22. [middle stage] please stay and join me in the backstage
  23. Understanding front end garbage collection
  24. [continuous update] front end special style implementation
  25. Flutter product analysis and package reduction scheme
  26. XPath positioning
  27. 前端开发css中的flex布局的使用
  28. The use of flex layout in front end development CSS
  29. JQuery核心函数和静态方法
  30. JQuery core functions and static methods
  31. Node family - understanding of blocking and non blocking
  32. 热点微前端Microfrontend的讨论:谷歌AdWords是真实的微前端
  33. Vue source code analysis (2) initproxy initialization proxy
  34. What's TM called react diff
  35. Summary of common front end data structure
  36. Useeffect in hooks
  37. [encapsulation 02 design pattern] Command pattern, share meta pattern, combination pattern, proxy pattern, strategy pattern
  38. Front end notes: virtual Dom and diff of vue2. X
  39. The best code scanning plug-in of flutter
  40. The simplest plug-in for rights management of flutter
  41. 21. Object oriented foundation "problems and solutions of object traversal"
  42. Discussion on hot micro front end: Google AdWords is a real micro front end
  43. Usecallback and usememo for real performance optimization
  44. 【前端圭臬】十一:从规范看 JavaScript 执行上下文(下)
  45. [front end standard] 11: Javascript execution context from the perspective of specification (2)
  46. Hexagonal六角形架构ReactJS的实现方式 - Janos Pasztor
  47. Transaction of spring's reactive / imperative relational database
  48. The implementation of hexagonal hexagonal reactjs Janos pasztor
  49. HTTP状态码:402 Payment Required需要付款 - mozilla
  50. HTTP status code: 402 payment required - Mozilla
  51. Factory mode, constructor mode and prototype mode
  52. Build the scaffold of react project from scratch (Series 1: encapsulating a request method with cache function based on Axios)
  53. Cocos Quick Start Guide
  54. Comparison of three default configurations of webpack5 modes
  55. A case study of the combination of flutter WebView and Vue
  56. CSS: BFC and IFC
  57. A common error report and solution in Vue combat
  58. JS: this point
  59. JS: prototype chain
  60. JavaScript series -- promise, generator, async and await