[Haskell-cafe] [Security] Put haskell.org on https
Erik Hesselink
hesselink at gmail.com
Sun Oct 28 13:42:30 CET 2012
I think it is only needed for 'cabal upload'. So if you upload via the
web only, you'd never send your password over plain HTTP.
Erik
On Sun, Oct 28, 2012 at 1:38 PM, Petr P <petr.mvd at gmail.com> wrote:
> Erik,
>
> does cabal need to do any authenticated stuff? For downloading
> packages I think HTTP is perfectly fine. So we could have HTTP for
> cabal download only and HTTPS for everything else.
>
> Best regards,
> Petr Pudlak
>
> 2012/10/28 Erik Hesselink <hesselink at gmail.com>:
>> While I would love to have hackage available (or even forced) over
>> https, I think the biggest reason it currently isn't, is that cabal
>> would then also need https support. This means the HTTP library would
>> need https support, which I've heard will be hard to implement
>> cross-platform (read: on Windows).
>>
>> However, I guess providing https as an option is still a huge step
>> forwards compared to the current situation.
>>
>> Erik
>>
>> On Sun, Oct 28, 2012 at 1:20 AM, Niklas Hambüchen <mail at nh2.me> wrote:
>>> (I have mentioned this several times on #haskell, but nothing has
>>> happened so far.)
>>>
>>> Are you aware that all haskell.org websites (hackage, HaskellWiki, ghc
>>> trac) allow unencrypted http connections only?
>>>
>>> This means that everyone in the same Wifi can potentially
>>>
>>> - read you passwords for all of these services
>>>
>>> - abuse your hackage account and override arbitrary packages
>>> (especially since hackage allows everybody to override everything)
>>>
>>>
>>> I propose we get an SSL certificate for haskell.org.
>>> I also offer to donate that SSL certificate (or directly create it using
>>> my Startcom account).
>>>
>>> Niklas
>>>
>>> _______________________________________________
>>> Haskell-Cafe mailing list
>>> Haskell-Cafe at haskell.org
>>> http://www.haskell.org/mailman/listinfo/haskell-cafe
>>
>> _______________________________________________
>> Haskell-Cafe mailing list
>> Haskell-Cafe at haskell.org
>> http://www.haskell.org/mailman/listinfo/haskell-cafe
More information about the Haskell-Cafe
mailing list