Re: [Haskell-cafe] [Security] Put haskell.org on https

Of course, as long as Cabal itself is distributed through this same https-enabled site, you have the same PKI-backed security as just about any major website. This model has problems, yes, but it's good enough, and it's easy to use. If you really want to improve it (without impacting usability), have Google/the browser vendors pin the public cert for haskell.org. On Mon, Oct 29, 2012 at 12:45 AM, Patrick Mylund Nielsen < haskell@patrickmylund.com> wrote:

PGP tends to present many usability issues, and in this case it would make more sense/provide a clearer win if there were many different, semi-untrusted hackage mirrors. Just enable HTTPS and have Cabal validate the server certificate against a CA pool of one. PKI/trusting obscure certificate authorities in Egypt and Syria is the biggest concern here, not somebody MITMing your initial Cabal installation (which in a lot of cases happens through apt-get or yum, anyway.)

On Mon, Oct 29, 2012 at 12:34 AM, Changaco wrote:

...

On Sun, 28 Oct 2012 17:07:24 -0400 Patrick Hurst wrote:

...

How do you get a copy of cabal while making sure that somebody hasn't MITMed you and replaced the PGP key?

Ultimately it is a DNS problem. To establish a secure connection with haskell.org you'd have to get the certificate from the DNS, but that technology is not ready yet, so all you can do is check the key against as many sources as possible like Michael Walker said.

On Sun, 28 Oct 2012 17:46:06 -0400 Patrick Hurst wrote:

...

So why not use HTTPS?

Because it doesn't solve the problem.

_______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe