How secure is using Maven?

Question

What are the risks and possibilities or scenarios whereby someone sets up masquerades of maven repositories and/or ip streams to provide masqueraded library copies of the origin

Answer 1

I suppose a dedicated and resourceful attacker could perform an MITM attack and intercept all requests to public Maven repositories, carefully injecting malicious bytecode into the JAR artifacts, then recalculating and supplying the SHA1 hashes.

To the client, it would appear as a legitimate artifact: the binary JAR and the SHA1 match and will be the same even if they check alternate mirrors.

I suppose the only real solution is to request the central repos to support HTTPS (and trust that TLS itself hasn't been broken).

Alternatively, a practical approach might be to set up a Maven proxy (Artifactory or Nexus) served over HTTPS to internal clients. This reduces the attack surface and means that you'll just have to secure the communication lines from that server to the outside world. I would periodically double check that the JARs and hashes on the proxy match those on the public mirrors using a totally independent, trusted network.

If you really, really want to be secure you wouldn't be trusting binaries—instead, you'd be downloading all source code and reviewing them by hand before compiling them yourself—but that assumes you have enough qualified resources and time to conduct the reviews and trust your entire build tool chain to begin with.

Well, security in layers as they always say.