I’m pleased to announce the nohttp project, which lets users find, replace, and prevent the usage of
Today, Jonathan Leitschuh published a blog titled Want to take over the Java ecosystem? All you need is a MITM!. The blog demonstrates that hundreds of Java libraries are downloading dependencies over HTTP. This opens the projects up to potential MITM (man in the middle) attacks.
Unfortunately, there were multiple Spring projects that were using HTTP to download dependencies. Fortunately, we uncovered no signs of a successful MITM attack. We have also addressed the issue to ensure that no MITM attacks can be made in the future.