August 9th, 2022

HTTPS everywhere

Jon Douglas
Principal Program Manager

Safety guaranteed

As an ongoing effort to make HTTPS everywhere a reality for NuGet, we have taken a number of steps to help protect your everyday package management experiences.

Earlier this year, a security fact sheet from The White House reinforced companies to take action to secure our software supply chains.

HTTPS and SSL not only encrypt our data so it cannot be used if it is stolen, but it helps us to avoid MITM attacks. In short, it prevents someone from getting between you and NuGet. Every time you interact with NuGet, it should be over HTTPS so you can be sure the response you’re getting back is in fact being delivered by NuGet.

NuGet is HTTPS everywhere

Historically NuGet was only available over HTTP or unvalidated HTTPS connections. Over time and as HTTPS became more prevalent, we’ve been pushing more and more traffic onto HTTPS as a best practice.

On NuGet.org, we even made the decision to redirect API URLs from HTTP to HTTPS. These redirects over the HTTPS connections issue a HSTS header that instructs any supporting client to default to HTTPS from now on. If you were to access a HTTP URL however, it would silently redirect to HTTPS and appear to work, but you wouldn’t get any of the security properties of TLS because an attacker could intercept the request prior to the redirect happening.

For NuGet client experiences, we will be pushing towards the use of HTTPS sources as an on-going effort to bring HTTPS everywhere.

What You Can Expect

  • In NuGet 6.3, we have introduced a new NU1803 warning that will let you know that you’re using a non-HTTPS source.
  • In November 2023, we will upgrade that warning into a new error when a non-HTTPS source is used. You will be able to opt-out of this behavior for the time being to help migrate to HTTPS sources.
  • In November 2024, we will throw an error when a non-HTTPS source is used. You will not be able to opt-out of this behavior.

If you are unable to upgrade to a HTTPS source for reasons outside of your control, do work with your package source provider and provide us your feedback on your workflow so we are aware of it.

Closing

While older versions of NuGet will not include these changes for now, it is always recommended that you upgrade your tooling to the latest versions to ensure it supports verified TLS connections and default to proper HTTPS URLs.

For more details on NuGet 6.3, see our official release notes.

Feedback

Your feedback is important to us. If there are any problems with this experience, check our GitHub Issues and Visual Studio Developer Community for existing issues. For new issues within NuGet, please report a GitHub Issue. For general NuGet experience issues, let us know via the Report a Problem option found in your favorite IDE under Help > Report a Problem.

Author

Jon Douglas
Principal Program Manager

Jon Douglas is a Principal Program Manager for NuGet at Microsoft. In his spare time he is most likely spending time with his family, performing comedy improv, or playing video games.

15 comments

Discussion is closed. Login to edit/delete existing comments.

  • Mladen Mihajlovic

    Please, please, please don’t do this – https is NOT required everywhere, especially within a development environment and not all sources are external. People use VPN’s also for security. Please roll this back. It’s a horrible idea.

  • Quintos

    We use Baget as our private on-premised Nuget Server. So no need to use HTTPS. I hope there will be some settings for Nuget to Not treat HTTP address as ERROR. Like introduce some envs, NUGET_ERROR_IF_HTTP=false/true.

  • Andi

    Using https is a good thing when calling nuget.org. In our case it is not required. We have an own on-premise dev ops server in our private intranet. There a nuget store is running. Our company do not plan upgrade to https in our intranet.

    For the moment it is working well because it is only a warning. But you descriped that this warning will be converted to an error in future. Then we have a...

    Read more
    • Peter Shaw

      Another supporter here... this is a VERY BAD idea for most of the internal intranets that I work with.

      My own company's internal systems are NEVER accessed over a public facing IP address, in fact they are 100% firewalled off, and cannot be accessed outside the companies internal network ranges.

      I have juniors/trainees and learners that already get panicked when a server or build fails to show up, I'm not spending countless hours running around trying to...

      Read more
    • Craig Shea

      Agree, 1000%.

    • Sascha T

      We have the same Problem and i even can’t find a solution on how to migrate the Azure Devops Artifacts Feed to https. We would do it if necessary, but please tell me how?

    • Roman Nikitin

      I second this. I do not understand why companies should waste development resources to mitigate imaginary security concerns. MITM in the intranet? Sure.

      By removing the opt-out option Microsoft basically tells us “just shut up, we know what is better for you”. So arrogant.

  • Igor Nesterov

    Now I know why my build which worked yesterday perfectly, failed todays morning. Thanks)

    • Craig Shea

      Same. I get the secure thing…but really? This is a nightmare for those locally hosting packages on their own private NuGet server. Now it’s another security certificate to manage and for little value. This is one of the worst decisions yet. Ugh. Thanks for making my life even more difficult and causing all of my development team’s builds to begin to fail literally overnight.

    • Jon DouglasMicrosoft employee Author

      Did the new NU1803 warning fail your build? Or something else?

      • Craig Shea

        YES, this is failing ALL OF MY BUILDS….literally yesterday they worked, today the don’t.

      • Craig Shea

        Will try Nikolche Kolev’s idea in the meantime. But please realize that many people have internally hosted NuGet servers with no access to the internet for caching NuGet packages or hosting their own and do not need the complexity or the overhead of managing TLS certificates for these servers.

      • Nikolche KolevMicrosoft employee · Edited

        Hey all,

        NU1803 is a warning.
        It is likely that your project is elevating it to an error.

        You can consider NoWarn NU1803 temporarily.

      • AlanW · Edited

        this comment has been deleted.