[Haskell-cafe] [Security] Put haskell.org on https

[Patrick Hurst]

On Oct 28, 2012, at 12:10 PM, Changaco <changaco at changaco.net> wrote:

> On Sun, 28 Oct 2012 16:39:10 +0100 Iustin Pop wrote:
>> Sure, but I was talking about a proper certificate signed by a
>> well-known registrar, at which point the https client would default to
>> verify the signature against the system certificate store.
> 
> It doesn't matter what kind of certificate the server uses since the
> client generally doesn't know about it, especially on first connection.
> Some programs remember the certificate between uses and inform you
> when it changes, but that's not perfect either.
> 
>> Yes, I'm fully aware that this is not fully safe, but I hope you agree
>> that https with a proper certificate is much better than plain http.
> 
> I agree that X.509 provides some protection, but PGP is better.
> 
> My point was: when possible don't rely on X.509 for security, build a
> Web of Trust instead.
> 

The reason HTTPS works is that most operating systems will have a list of some number of root CAs (or a way to get them via some other channel that the OS trusts, such as through GPG-signed packages) that it implicitly trusts. The user gets the security without any extra effort on their end.

On the other hand, with PGP, any user who wants to be secure but doesn't use GPG would have to verify the identity of whoever signed the Cabal GPG key, and most non-Linux operating systems don't come with a list of trusted GPG keys. So how do they get them without using HTTPS (since if you use HTTPS to figure out what keys you trust, your scheme is no more secure than HTTPS)?