Making cabal-install SSL capable
Herbert Valerio Riedel
hvriedel at gmail.com
Tue Apr 28 14:32:06 UTC 2015
On 2015-04-28 at 15:50:26 +0200, Michael Snoyman wrote:
[...]
>> PS: We shouldn't forget that there's also an existing deployed
>> cabal-install user-base we can't get rid off so easily, which may
>> still leak unencrypted basic-auth credentials for the years to
>> come. Just saying...
> I agree on that front. I think that Hackage should turn away all uploads
> that aren't TLS-secured, and should make that change ASAP.
Well, even if you do that, you can only reject the upload-request
*after* the http client has already leaked the basic-auth credentials
over a non-secured http channel... :-/
So the only thing this measure would buy us IMHO is that CLI users would
get an incentive to upgrade their cabal-install tooling (if they use
e.g. `cabal upload`), but it wouldn't protect against accidentally
falling back to an older cabal-install version picked up by accident
(and then again compromising the credentials). I.e. this measure on its
own wouldn't remove the unsecured basic-auth eavesdropping attack-window
completely, only make it smaller.
Cheers,
hvr
More information about the cabal-devel
mailing list