[Haskell-cafe] [Security] Put haskell.org on https

Petr P petr.mvd at gmail.com
Sun Oct 28 13:38:46 CET 2012


  Erik,

does cabal need to do any authenticated stuff? For downloading
packages I think HTTP is perfectly fine. So we could have HTTP for
cabal download only and HTTPS for everything else.

  Best regards,
  Petr Pudlak

2012/10/28 Erik Hesselink <hesselink at gmail.com>:
> While I would love to have hackage available (or even forced) over
> https, I think the biggest reason it currently isn't, is that cabal
> would then also need https support. This means the HTTP library would
> need https support, which I've heard will be hard to implement
> cross-platform (read: on Windows).
>
> However, I guess providing https as an option is still a huge step
> forwards compared to the current situation.
>
> Erik
>
> On Sun, Oct 28, 2012 at 1:20 AM, Niklas Hambüchen <mail at nh2.me> wrote:
>> (I have mentioned this several times on #haskell, but nothing has
>> happened so far.)
>>
>> Are you aware that all haskell.org websites (hackage, HaskellWiki, ghc
>> trac) allow unencrypted http connections only?
>>
>> This means that everyone in the same Wifi can potentially
>>
>> - read you passwords for all of these services
>>
>> - abuse your hackage account and override arbitrary packages
>>   (especially since hackage allows everybody to override everything)
>>
>>
>> I propose we get an SSL certificate for haskell.org.
>> I also offer to donate that SSL certificate (or directly create it using
>> my Startcom account).
>>
>> Niklas
>>
>> _______________________________________________
>> Haskell-Cafe mailing list
>> Haskell-Cafe at haskell.org
>> http://www.haskell.org/mailman/listinfo/haskell-cafe
>
> _______________________________________________
> Haskell-Cafe mailing list
> Haskell-Cafe at haskell.org
> http://www.haskell.org/mailman/listinfo/haskell-cafe



More information about the Haskell-Cafe mailing list