Re: [Haskell-cafe] [Security] Put haskell.org on https

29 Oct 2012


      Sure. No matter what's done in Cabal, the clients for everything else will
still be mainly browsers.

On Mon, Oct 29, 2012 at 12:59 AM, Niklas Hambüchen  wrote:
...
No matter what we do with cabal, it would be great if I could soon point
my browser at https://haskell.org *anyway*.
On 28/10/12 23:55, Patrick Mylund Nielsen wrote:
...
Of course, as long as Cabal itself is distributed through this same
https-enabled site, you have the same PKI-backed security as just about
any major website. This model has problems, yes, but it's good enough,
and it's easy to use. If you really want to improve it (without
impacting usability), have Google/the browser vendors pin the public
cert for haskell.org http://haskell.org.
On Mon, Oct 29, 2012 at 12:45 AM, Patrick Mylund Nielsen
mailto:haskell@patrickmylund.com> wrote:
PGP tends to present many usability issues, and in this case it
    would make more sense/provide a clearer win if there were many
    different, semi-untrusted hackage mirrors. Just enable HTTPS and
    have Cabal validate the server certificate against a CA pool of one.
    PKI/trusting obscure certificate authorities in Egypt and Syria is
    the biggest concern here, not somebody MITMing your initial Cabal
    installation (which in a lot of cases happens through apt-get or
    yum, anyway.)
On Mon, Oct 29, 2012 at 12:34 AM, Changaco mailto:changaco@changaco.net> wrote:
On Sun, 28 Oct 2012 17:07:24 -0400 Patrick Hurst wrote:
        > How do you get a copy of cabal while making sure that somebody
        hasn't MITMed you and replaced the PGP key?
Ultimately it is a DNS problem. To establish a secure connection
        with
        haskell.org http://haskell.org you'd have to get the
        certificate from the DNS, but that
        technology is not ready yet, so all you can do is check the key
        against
        as many sources as possible like Michael Walker said.
On Sun, 28 Oct 2012 17:46:06 -0400 Patrick Hurst wrote:
        > So why not use HTTPS?
Because it doesn't solve the problem.
_______________________________________________
        Haskell-Cafe mailing list
        Haskell-Cafe@haskell.org mailto:Haskell-Cafe@haskell.org
        http://www.haskell.org/mailman/listinfo/haskell-cafe
_______________________________________________
Haskell-Cafe mailing list
Haskell-Cafe@haskell.org
http://www.haskell.org/mailman/listinfo/haskell-cafe
_______________________________________________
Haskell-Cafe mailing list
Haskell-Cafe@haskell.org
http://www.haskell.org/mailman/listinfo/haskell-cafe