[Haskell-cafe] [Security] Put haskell.org on https
petr.mvd at gmail.com
Sun Oct 28 17:46:10 CET 2012
2012/10/28 Changaco <changaco at changaco.net>:
> It doesn't matter what kind of certificate the server uses since the
> client generally doesn't know about it, especially on first connection.
> Some programs remember the certificate between uses and inform you
> when it changes, but that's not perfect either.
In this particular case, cabal can have the public part of the
certificate built-in (as it has the web address built in). So once one
has a verified installation of cabal, it can verify the server
packages without being susceptible to MitM attack (no matter if
they're PGP signed or X.509 signed).
More information about the Haskell-Cafe