[Haskell-cafe] [Security] Put haskell.org on https
petr.mvd at gmail.com
Sun Oct 28 13:38:46 CET 2012
does cabal need to do any authenticated stuff? For downloading
packages I think HTTP is perfectly fine. So we could have HTTP for
cabal download only and HTTPS for everything else.
2012/10/28 Erik Hesselink <hesselink at gmail.com>:
> While I would love to have hackage available (or even forced) over
> https, I think the biggest reason it currently isn't, is that cabal
> would then also need https support. This means the HTTP library would
> need https support, which I've heard will be hard to implement
> cross-platform (read: on Windows).
> However, I guess providing https as an option is still a huge step
> forwards compared to the current situation.
> On Sun, Oct 28, 2012 at 1:20 AM, Niklas Hambüchen <mail at nh2.me> wrote:
>> (I have mentioned this several times on #haskell, but nothing has
>> happened so far.)
>> Are you aware that all haskell.org websites (hackage, HaskellWiki, ghc
>> trac) allow unencrypted http connections only?
>> This means that everyone in the same Wifi can potentially
>> - read you passwords for all of these services
>> - abuse your hackage account and override arbitrary packages
>> (especially since hackage allows everybody to override everything)
>> I propose we get an SSL certificate for haskell.org.
>> I also offer to donate that SSL certificate (or directly create it using
>> my Startcom account).
>> Haskell-Cafe mailing list
>> Haskell-Cafe at haskell.org
> Haskell-Cafe mailing list
> Haskell-Cafe at haskell.org
More information about the Haskell-Cafe