I'm glad to announce nohttp project , Look for any way to try to completely replace http:// Use .
today ,Jonathan Leitschuh Published a piece called “ Want to take over Java The ecological system ” The blog of ？[url=https://email@example.com/want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-1fc329d898fb] All you need is a MITM！[/url]. The blog demonstrates hundreds of Java The library is going through HTTP Download dependencies . This will lead to potential MITM（ A middleman ） attack .
Unfortunately , There are many. Spring Project use HTTP To download dependencies . Fortunately, , We didn't find MITM Signs of a successful attack . We also solved this problem , To make sure it doesn't happen in the future MITM attack .
Spring Team reaction
Spring Team Great emphasis on security . Due to the discovery of Spring The project by HTTP Download dependencies , We have taken steps to ensure that it will not happen in the future MITM attack . The most obvious change is to update Maven Repository location to use HTTPS. however , We switch to using it all over the place HTTPS（ almost ） To take this step further .
Now it is 2019 year , We need to be sure to delete it HTTP Use ！ Use HTTPS Fast , Simple And Free supply , There is no reason to continue to use HTTP！ As a developer , It's important that we help the world transition to use... Everywhere HTTPS（ even to the extent that Static sites need HTTPS）.
We are certainly not the only ones trying to eliminate HTTP People who use . We To form the encryption , send HTTPS free , Automation and openness .Chrome It has been updated UI To indicate that HTTP unsafe .Maven Central Have been abandoned HTTP. The list goes on .
use HTTPS Replace HTTP
Spring The team did their best to update all URL To use the HTTPS. This includes from Maven The repository URL To Apache All content linked from license to document . In some cases , Can't use HTTPS. for example , Some of the sites we link to don't support HTTPS,XML The namespace identifier must match the identifier in the document , And so on .
adopt Classpath Of HTTPS XML Location
Before we eliminate HTTP In the effort to use ,Spring Framework Has been updated , To parse through classpath using HTTPS Positional XML Location . before , This only applies to the use of HTTP Of URL. Please consider the following XML To configure ：
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans https://www.springframework.org/schema/beans/spring-beans.xsd">
https://www.springframework.org/schema/beans/spring-beans.xsdURL Through classpath , Without the need for a network connection .
Please note that ,XML Namespace name （ identifier ） Cannot change to use HTTPS. From being able to implement safety control From the perspective of , It's not ideal , But never ask for a name over the network , So there's almost no harm to users .
Spring The team has updated all hosts to ensure that HTTPS. Every site supports HTTPS, Redirect to HTTPS, And use Strict transmission security .
Potential MITM It means that our building infrastructure may have been compromised . So , We rebuilt all the build infrastructure and rotated all the credentials .
New security controls
Although it's important to respond to security incidents , but Safety control measures It's also important to be in place , To make sure it doesn't happen again .
We updated the build box to prevent HTTP Traffic , To make sure it doesn't happen again . To protect developers and users , We created nohttp project . This item can be used to refer to , Replace and block http:// Use , At the same time, pragmatism allows unchangeable URL（ for example XML Namespace name ）. For other details , See the project's site .