The Central Repository is Moving to HTTPS

As stewards of Maven Central, Sonatype is responsible for hosting and transmitting a disproportionately high volume of the Java ecosystem’s open-source components. In the month of November 2019 alone, total requests to Maven Central across North America and Europe alone reached 21 billion, with just under 2 petabytes of data transferred to our end users.

Beginning January 15, 2020, The Central Repository will no longer support communication over HTTP. Any attempts to access and will result in an error, and users will need to update their builds to resolve dependencies over HTTPS. Additionally, proxy repository remote URLs for your repository manager will also need to be updated to reflect the change to HTTPS.

Upgrading to HTTPS on January 15

Since the inception of Maven Central, data integrity is something we’ve historically taken very seriously beginning with the introduction of strict requirements for SHA-1 and MD5 checksums, to PGP signatures for assuring provenance. More recently we’ve introduced changes to deprecate known insecure versions of common security protocols such as TLSv1.1

The natural continuation of this journey begins next month on January 15th, 2020 when we will begin to enforce the use of HTTPS for all consumers of content from Maven Central. The resolution of dependencies over HTTP presents numerous security concerns, namely exposing development teams to man-in-the-middle (MITM) attacks in which malicious code is injected into dependencies during the build phase, thereby infecting the downstream components and ultimately their end-users. This vulnerability has become obvious to many who have already adopted HTTPS for the dependency resolution phase of their software build process. 

In November 2019, 79% of all requests to Central were already made over HTTPS, with 21% still using insecure HTTP (down from 25% when this change was first (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Terry Yanko. Read the original post at: