[Haskell-cafe] ANNOUNCE: tls, native TLS/SSL protocolimplementation

Magnus Therning magnus at therning.org
Mon Oct 11 07:05:22 EDT 2010

On Mon, Oct 11, 2010 at 09:41, Brandon Moore <brandon_m_moore at yahoo.com> wrote:
> While I can see your point about potentially introducing new security holes,
> and producing much less trusted code, I feel having tidy, pure libraries
> that we can all integrate into our Haskell is a benefit that far outweighs
> this.  Especially when we have nice things like the type system, which can
> be used to alleviate many of the security worries.
> I agree in general, for code like servers and file formats, but I worry in
> particular about cryptographic primitives. Some side channel attacks seem to
> call for a very low-level language, to make it easier to verify that e.g.
> execution time and the memory access pattern does not depend on the key.

I personally think we have to draw the line somewhere regarding what
we care about when it comes to security.  (Provable) correctness,
maintainability through well-structured code are things we are more
likely to gain through using high-level languages like Haskell.  That
is actually a lot of security bundled up in those things.  What we
lose is low-level control, which would be required to thwart
side-channel attacks.  On the other hand, I'm not convinced openssl or
gnutls deal with side-channel attacks very effectively either.

In any case, there is nothing that says we must have only *one* SSL
library, based on this discussion there seems to be people in the
community who still would prefer a binding to openssl/gnutls.


Magnus Therning                        (OpenPGP: 0xAB4DFBA4)
magnus@therning.org          Jabber: magnus@therning.org
http://therning.org/magnus         identi.ca|twitter: magthe

More information about the Haskell-Cafe mailing list