As stewards of Maven Central, Sonatype is responsible for hosting and transmitting a disproportionately high volume of the Java ecosystem’s open source components. In the month of November 2019 alone, total requests to Maven Central across North America and Europe alone reached 21 billion, with just under 2 petabytes of data transferred to our end users.
Beginning January 15, 2020, the Central Repository will no longer support communication over HTTP. Any attempts to access http://repo1.maven.org and http://repo.maven.apache.org/ will result in an error, and users will need to update their builds to resolve dependencies over HTTPS. Additionally, proxy repository remote URLs for your repository manager will also need to be updated to reflect the change to HTTPS.
Upgrading to HTTPS on January 15
Since the inception of Maven Central, data integrity is something we’ve historically taken very seriously beginning with the introduction of strict requirements for SHA-1 and MD5 checksums, to PGP signatures for assuring provenance. More recently we’ve introduced changes to deprecate known insecure versions of common security protocols such as TLSv1.1.
The natural continuation of this journey begins next month on January 15, 2020 when we will begin to enforce the use of HTTPS for all consumers of content from Maven Central. The resolution of dependencies over HTTP presents numerous security concerns, namely exposing development teams to man-in-the-middle (MITM) attacks in which malicious code is injected into dependencies during the build phase, thereby infecting the downstream components and ultimately their end-users. This vulnerability has become obvious to many who have already adopted HTTPS for the dependency resolution phase of their software build process.
In November 2019, 79% of all requests to Central were already made over HTTPS, with 21% still using insecure HTTP (down from 25% when this change was first announced in April 2019).
We would like to credit Jonathan Leitschuh for pushing this initiative across the ecosystem. As he writes:
HTTPS doesn’t just encrypt the traffic between the client and the server, it also provides a cryptographic guarantee that the client is communicating with the server requested and not a MITM imposter.
You can read his full writeup here.
Benefits to upgrading to HTTPS
While the transition to HTTPS may cause disruption for the minority of our users still using HTTP, we believe the time to making the switch to encryption is now for the greater benefit of the open-source community. We strongly encourage our users to make this transition well in advance of January 15, 2020 to avoid any potential disruption. If your environment does not support HTTPS, see below.
Despite the actions taken to provide a safe, secure environment for the distribution of open-source code, no build process should directly rely on large community OSS projects, even Maven Central. Make sure you’re using a caching proxy such as Sonatype Nexus Repository Manager to warehouse the components that have already met your organization’s standards for component integrity and furthermore provide greater resiliency for your build process.
We would like to extend our thanks to John Leitschuh for his leadership and dedication to the ongoing effort towards securing open source.
My environment does not support HTTPS, what can I do?
We recognize that for some of our users, there may be major technical limitations that prohibit making the switch to HTTPS, e.g. build environments still running JDK6. For those users, we have provided a separate domain to accommodate insecure traffic at http://insecure.repo1.maven.org. Make sure to replace all your existing references to http://repo1.maven.org or http://repo.maven.apache.org/ with this URL prior to the January 15 cutover date.