On May 5, 2014, at 2:38 PM, Paul Moore <p.f.mo...@gmail.com> wrote: > On 5 May 2014 17:58, Donald Stufft <don...@stufft.io> wrote: >> pip and virtualenv have moved their documentation away from >> http://www.pip-installer.org/ and http://www.virtualenv.org/ to >> https://pip.pypa.io/ >> and https://virtualenv.pypa.io/. The new locations are still backed by >> ReadTheDocs however they are fronted by Fastly and have enforced TLS. > > Purely out of curiosity and an interest in reducing my level of > ignorance over security, what's the point in having documentation > behind HTTPS? Is there a security exposure in reading docs that is > mitigated by using HTTPS? Or is it just a matter of consistency and a > principle of always using a secure protocol? > > Paul
So a few reasons: * We link to the get-pip.py from the documentation, now that file is hosted via HTTPS, however it would be trivial for someone to MITM the documentation and point to something hosted elsewhere that was malicious. * We list some commands to run, some of which are examples. It would be pretty shitty if someone MITM'd and replaced those with a command that installs a malicious package and people blindly copy/pasted them. * Consistency. * There's no good reason not to do it! ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
