[ https://issues.apache.org/jira/browse/MNG-6673?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Michael Osipov updated MNG-6673: -------------------------------- Priority: Major (was: Blocker) > Deprecate HTTP Download & Upload > -------------------------------- > > Key: MNG-6673 > URL: https://issues.apache.org/jira/browse/MNG-6673 > Project: Maven > Issue Type: Improvement > Components: Deployment > Reporter: Jonathan Leitschuh > Priority: Major > Labels: SECURITY, security > Attachments: mitm_build.jpeg > > > Some of the most popular Java projects in the JVM ecosystem are vulnerable to > a MITM of their dependencies. This is something that build tools can help > prevent. > Starting in the next release of Maven, Maven should begin warning users about > the use of HTTP to download/upload artifacts to/from artifact servers. > I believe that Maven/Gradle/SBT should require users to opt-out of the > security offered by using HTTPS to download/upload artifacts. > Here's a list of projects that were found to be vulnerable to this: > [https://docs.google.com/spreadsheets/d/1zemxj8QdIp0saqvwJx6Po1KnyEmJXl2KC_0j0SLd_2E/edit?usp=sharing] > > ---- > The full description of this industry-wide vulnerability can be found here: > [Want to take over the Java ecosystem? All you need is a > MITM!|https://medium.com/@jonathan.leitschuh/want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-1fc329d898fb?source=friends_link&sk=3c99970c55a899ad9ef41f126efcde0e] > !mitm_build.jpeg! > -- This message was sent by Atlassian JIRA (v7.6.14#76016)