Re: [Haskell-cafe] [Security] Put haskell.org on https

I think it is only needed for 'cabal upload'. So if you upload via the web only, you'd never send your password over plain HTTP. Erik On Sun, Oct 28, 2012 at 1:38 PM, Petr P wrote:

Erik,

does cabal need to do any authenticated stuff? For downloading packages I think HTTP is perfectly fine. So we could have HTTP for cabal download only and HTTPS for everything else.

Best regards, Petr Pudlak

2012/10/28 Erik Hesselink :

...

While I would love to have hackage available (or even forced) over https, I think the biggest reason it currently isn't, is that cabal would then also need https support. This means the HTTP library would need https support, which I've heard will be hard to implement cross-platform (read: on Windows).

However, I guess providing https as an option is still a huge step forwards compared to the current situation.

Erik

On Sun, Oct 28, 2012 at 1:20 AM, Niklas Hambüchen wrote:

...

(I have mentioned this several times on #haskell, but nothing has happened so far.)

Are you aware that all haskell.org websites (hackage, HaskellWiki, ghc trac) allow unencrypted http connections only?

This means that everyone in the same Wifi can potentially

- read you passwords for all of these services

- abuse your hackage account and override arbitrary packages (especially since hackage allows everybody to override everything)

I propose we get an SSL certificate for haskell.org. I also offer to donate that SSL certificate (or directly create it using my Startcom account).

Niklas

_______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe

_______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe