[Haskell-cafe] ANNOUNCE: tls,
native TLS/SSL protocolimplementation
magnus at therning.org
Mon Oct 11 07:05:22 EDT 2010
On Mon, Oct 11, 2010 at 09:41, Brandon Moore <brandon_m_moore at yahoo.com> wrote:
> While I can see your point about potentially introducing new security holes,
> and producing much less trusted code, I feel having tidy, pure libraries
> that we can all integrate into our Haskell is a benefit that far outweighs
> this. Especially when we have nice things like the type system, which can
> be used to alleviate many of the security worries.
> I agree in general, for code like servers and file formats, but I worry in
> particular about cryptographic primitives. Some side channel attacks seem to
> call for a very low-level language, to make it easier to verify that e.g.
> execution time and the memory access pattern does not depend on the key.
I personally think we have to draw the line somewhere regarding what
we care about when it comes to security. (Provable) correctness,
maintainability through well-structured code are things we are more
likely to gain through using high-level languages like Haskell. That
is actually a lot of security bundled up in those things. What we
lose is low-level control, which would be required to thwart
side-channel attacks. On the other hand, I'm not convinced openssl or
gnutls deal with side-channel attacks very effectively either.
In any case, there is nothing that says we must have only *one* SSL
library, based on this discussion there seems to be people in the
community who still would prefer a binding to openssl/gnutls.
Magnus Therning (OpenPGP: 0xAB4DFBA4)
magnus＠therning．org Jabber: magnus＠therning．org
http://therning.org/magnus identi.ca|twitter: magthe
More information about the Haskell-Cafe