Goodbye http://repo.spring (use https)

Engineering | Rob Winch | September 16, 2019 | ...

In response to our nohttp announcement, Maven Central’s announcement, and JFrog’s announcement, beginning January 15 2020, Spring’s Maven Repository will no longer support HTTP. More concretely, http://repo.spring.io will not respond to requests. Users will need to ensure that they are using https://repo.spring.io

We are not going to redirect from http to https because it perpetuates the vulnerability. When the first request is made over http, a man in the middle (MITM) can prevent the redirect and replace the response with a malicious payload. Users that continue to use http will continue to be vulnerable to MITM attacks.

It is worth pointing out that redirecting to https is beneficial to browsers. This is because after the redirect to https within a browser, subsequent requests will then make any subsequent requests over https. The user is vulnerable in the initial request, but the number of vulnerable requests drops to just the initial requests. This can be further improved for a browser by using Strict Transport Security to eliminate any initial requests to http going forward.

The browser behavior, which preserves state, is quite different from a CLI client which will continue to request every resource over http. This is why we are not doing a redirect. We want the CLI clients to fail fast so they know they need to protect themselves.

Get the Spring newsletter

Stay connected with the Spring newsletter

Subscribe

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all