Comments (9)
Hello,
I will close this issue.
I am the owner of mycila.com
. It is set to renew each year, it's been like that since years, and it won't change. Also, the domain is locked so nobody can take ownership or transfert it.
from license-maven-plugin.
Once somebody buys this this domain, he/she can take over the ownership of the "com.mycila" Group ID in Maven Central (and/or other public repositories) and start distributing malicious code.
@liry That doesn't seem to be true. According to a comment from the Maven Central maintainers, an existing namespace cannot be claimed by buying an orphaned domain and using DNS validation. For existing namespaces it's a manual process.
See:
The outlined attack strategy involves searching for expired domains to establish credentials for publishing malicious components on Maven Central. However, this attack is not feasible due to the automation in place. While DNS validation is used for namespace validation, it only applies to new ones. Attempts to register an existing namespace will fail, and we have manual validation procedures in place. To further enhance security, we have disabled all accounts associated with expired domains and GitHub projects. Any future attempts to leverage current and future expired domains will undergo a thorough assessment by our team, ensuring evidence of ownership of not just the domain but also the underlying project.
-- https://www.sonatype.com/sonatypes-ongoing-commitment-to-maven-central
from license-maven-plugin.
Ok, thanks for pointing to this.
But there exist also other attack vectors, like possibility of introducing the component into some other public repository, right? It may not have such a big blast radius like Maven Central, but still may be a problem for some users.
from license-maven-plugin.
But there exist also other attack vectors, like possibility of introducing the component into some other public repository, right? It may not have such a big blast radius like Maven Central, but still may be a problem for some users.
Right, if a project configures other repositories than Maven Central and those repositories don't have rigid processes for ownership claims, a project can be vulnerable.
from license-maven-plugin.
I'm one of the authors of the research. I came here to see who bought the mycila.com
domain. If it's not @mathieucarbou (he hasn't commented on it yet), it could be a sign of an attack
Also,
That doesn't seem to be true. According to a comment from the Maven Central maintainers, an existing namespace cannot be claimed by buying an orphaned domain and using DNS validation. For existing namespaces it's a manual process
In the article, we used two different repositories, not only MavenCentral. It's true that MavenCentral blocks automatic (via a DNS TXT record) groupId claims for known (already registered in their repository) groupIds + for vulnerable groupIds that we shared with them. However, there are other public repositories such as JitPack, Gradle, and others that can be used to attack the developers.
from license-maven-plugin.
Very interesting! Two days ago GoDaddy marked it for sale, I have a saved screenshot:
from license-maven-plugin.
Very interesting! Two days ago GoDaddy marked it for sale, I have a saved screenshot
This sort of click-bait ad does not mean anything. Try adding to a cart and it will be marked as unavailable.
They are probably not happy with the fact that I've transferred all my domain names to Cloudflare registrar ;-)
from license-maven-plugin.
I've also verified my listings at auctions.godaddy.com
and it is not there.
But this is true that I see the domain listed there. But like it is stated, owner has to agree with the transfer.
So if you buy it, I will refuse the transfer and you'll have 1000$ USD to recover to Godaddy 😆
from license-maven-plugin.
Just for clarity:
mycila.com is not old: it is registered and renewed each year and locked from any transfert.
https://who.is/whois/mycila.com
Domain registrars are offering auctions, which are a way to make an offer to buy an existing domain. The domain owner can refuse or accept the ownership transfer.
https://www.elegantthemes.com/blog/business/how-to-buy-a-domain-name-that-is-already-taken
Domain availability cannot be checked from a registrar allowing such auctions... You need to use a standard whois mechanism.
from license-maven-plugin.
Related Issues (20)
- Release 4.2.0 HOT 7
- Errors when importing a project into Eclipse 2023-03 that uses this plugin HOT 7
- Add suggestion to default `errorMessage` on how to fix missing/wrong license headers HOT 2
- Mandatory email in APACHE-2 template HOT 11
- Command Line flag to alter the list of included files to check HOT 7
- Support helm template comment style HOT 3
- license files should support http and https license headers HOT 8
- Support ignore the year check HOT 8
- Please update parent-pom - see PR HOT 1
- Adding Gradle related file extensions HOT 2
- Support executions on only changed files(for PR checks) HOT 5
- DefaultInlineHeaderStyles is not working HOT 2
- Make sure we use junit 5 jupiter only and start using the bom HOT 4
- plugin build setting HOT 6
- Release parent-pom to fix double 'source' runs
- Propose removing 'System.getenv()' HOT 2
- Propose we stop reading blindly all java system properties with example including removal of system.getenv() HOT 3
- Propose we deprecate 'defaultPropertyList' with maven way to manage HOT 2
- Propose we drop 'starEncrypt' method HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from license-maven-plugin.