[Haskell-cafe] [Security] Put haskell.org on https

Jason Dagit dagit at codersbase.com
Fri Nov 2 18:49:40 CET 2012 

Thanks Iavor et al.

I agree. I'll see what we can do. We have budget for this so hopefully it
will be a simple matter of finding people to implement the change.

Jason

On Fri, Nov 2, 2012 at 10:34 AM, Iavor Diatchki <iavor.diatchki at gmail.com>wrote:

> Hello,
>
> I think that getting a certificate is a good idea.  I think this could
> probably be arranged by the haskell.org committee, which even has a
> budget for things like that, I believe.  I'm cc-ing Jason, who's on
> the committee and might have more input on what's the best way to proceed.
>
> Thanks for bringing this up!
> -Iavor
>
>
> On Fri, Nov 2, 2012 at 5:14 AM, Ramana Kumar <Ramana.Kumar at cl.cam.ac.uk>wrote:
>
>> Who is the webmaster for haskell.org? Presumably they will be required
>> in the process of installing the certificate.
>>
>> As far as obtaining goes, one can obtain a free certificate from StartSSL
>> - see https://www.startssl.com
>> There are other CAs, but if nobody has any strong preferences, I
>> recommend going with them.
>>
>>
>> On Tue, Oct 30, 2012 at 8:52 PM, Niklas Hambüchen <mail at nh2.me> wrote:
>>
>>> So how do we go forward about getting the SSL certificate and installing
>>> it?
>>>
>>> On 29/10/12 01:06, Patrick Mylund Nielsen wrote:
>>> > Sure. No matter what's done in Cabal, the clients for everything else
>>> > will still be mainly browsers.
>>> >
>>> > On Mon, Oct 29, 2012 at 12:59 AM, Niklas Hambüchen <mail at nh2.me
>>> > <mailto:mail at nh2.me>> wrote:
>>> >
>>> >     No matter what we do with cabal, it would be great if I could soon
>>> point
>>> >     my browser at https://haskell.org *anyway*.
>>> >
>>> >     On 28/10/12 23:55, Patrick Mylund Nielsen wrote:
>>> >     > Of course, as long as Cabal itself is distributed through this
>>> same
>>> >     > https-enabled site, you have the same PKI-backed security as just
>>> >     about
>>> >     > any major website. This model has problems, yes, but it's good
>>> enough,
>>> >     > and it's easy to use. If you really want to improve it (without
>>> >     > impacting usability), have Google/the browser vendors pin the
>>> public
>>> >     > cert for haskell.org <http://haskell.org> <http://haskell.org>.
>>> >     >
>>> >     > On Mon, Oct 29, 2012 at 12:45 AM, Patrick Mylund Nielsen
>>> >     > <haskell at patrickmylund.com <mailto:haskell at patrickmylund.com>
>>> >     <mailto:haskell at patrickmylund.com
>>> >     <mailto:haskell at patrickmylund.com>>> wrote:
>>> >     >
>>> >     >     PGP tends to present many usability issues, and in this case
>>> it
>>> >     >     would make more sense/provide a clearer win if there were
>>> many
>>> >     >     different, semi-untrusted hackage mirrors. Just enable HTTPS
>>> and
>>> >     >     have Cabal validate the server certificate against a CA pool
>>> >     of one.
>>> >     >     PKI/trusting obscure certificate authorities in Egypt and
>>> Syria is
>>> >     >     the biggest concern here, not somebody MITMing your initial
>>> Cabal
>>> >     >     installation (which in a lot of cases happens through
>>> apt-get or
>>> >     >     yum, anyway.)
>>> >     >
>>> >     >
>>> >     >     On Mon, Oct 29, 2012 at 12:34 AM, Changaco
>>> >     <changaco at changaco.net <mailto:changaco at changaco.net>
>>> >     >     <mailto:changaco at changaco.net <mailto:changaco at changaco.net
>>> >>>
>>> >     wrote:
>>> >     >
>>> >     >         On Sun, 28 Oct 2012 17:07:24 -0400 Patrick Hurst wrote:
>>> >     >         > How do you get a copy of cabal while making sure that
>>> >     somebody
>>> >     >         hasn't MITMed you and replaced the PGP key?
>>> >     >
>>> >     >         Ultimately it is a DNS problem. To establish a secure
>>> >     connection
>>> >     >         with
>>> >     >         haskell.org <http://haskell.org> <http://haskell.org>
>>> >     you'd have to get the
>>> >     >         certificate from the DNS, but that
>>> >     >         technology is not ready yet, so all you can do is check
>>> >     the key
>>> >     >         against
>>> >     >         as many sources as possible like Michael Walker said.
>>> >     >
>>> >     >         On Sun, 28 Oct 2012 17:46:06 -0400 Patrick Hurst wrote:
>>> >     >         > So why not use HTTPS?
>>> >     >
>>> >     >         Because it doesn't solve the problem.
>>> >     >
>>> >     >         _______________________________________________
>>> >     >         Haskell-Cafe mailing list
>>> >     >         Haskell-Cafe at haskell.org <mailto:
>>> Haskell-Cafe at haskell.org>
>>> >     <mailto:Haskell-Cafe at haskell.org <mailto:Haskell-Cafe at haskell.org
>>> >>
>>> >     >         http://www.haskell.org/mailman/listinfo/haskell-cafe
>>> >     >
>>> >     >
>>> >     >
>>> >     >
>>> >     >
>>> >     > _______________________________________________
>>> >     > Haskell-Cafe mailing list
>>> >     > Haskell-Cafe at haskell.org <mailto:Haskell-Cafe at haskell.org>
>>> >     > http://www.haskell.org/mailman/listinfo/haskell-cafe
>>> >     >
>>> >
>>> >     _______________________________________________
>>> >     Haskell-Cafe mailing list
>>> >     Haskell-Cafe at haskell.org <mailto:Haskell-Cafe at haskell.org>
>>> >     http://www.haskell.org/mailman/listinfo/haskell-cafe
>>> >
>>> >
>>>
>>> _______________________________________________
>>> Haskell-Cafe mailing list
>>> Haskell-Cafe at haskell.org
>>> http://www.haskell.org/mailman/listinfo/haskell-cafe
>>>
>>
>>
>> _______________________________________________
>> Haskell-Cafe mailing list
>> Haskell-Cafe at haskell.org
>> http://www.haskell.org/mailman/listinfo/haskell-cafe
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.haskell.org/pipermail/haskell-cafe/attachments/20121102/4c520a53/attachment.htm>

More information about the Haskell-Cafe mailing list