[Haskell-cafe] [Security] Put haskell.org on https
Patrick Mylund Nielsen
haskell at patrickmylund.com
Mon Oct 29 00:55:34 CET 2012
Of course, as long as Cabal itself is distributed through this same
https-enabled site, you have the same PKI-backed security as just about any
major website. This model has problems, yes, but it's good enough, and it's
easy to use. If you really want to improve it (without impacting
usability), have Google/the browser vendors pin the public cert for
On Mon, Oct 29, 2012 at 12:45 AM, Patrick Mylund Nielsen <
haskell at patrickmylund.com> wrote:
> PGP tends to present many usability issues, and in this case it would make
> more sense/provide a clearer win if there were many different,
> semi-untrusted hackage mirrors. Just enable HTTPS and have Cabal validate
> the server certificate against a CA pool of one. PKI/trusting obscure
> certificate authorities in Egypt and Syria is the biggest concern here, not
> somebody MITMing your initial Cabal installation (which in a lot of cases
> happens through apt-get or yum, anyway.)
> On Mon, Oct 29, 2012 at 12:34 AM, Changaco <changaco at changaco.net> wrote:
>> On Sun, 28 Oct 2012 17:07:24 -0400 Patrick Hurst wrote:
>> > How do you get a copy of cabal while making sure that somebody hasn't
>> MITMed you and replaced the PGP key?
>> Ultimately it is a DNS problem. To establish a secure connection with
>> haskell.org you'd have to get the certificate from the DNS, but that
>> technology is not ready yet, so all you can do is check the key against
>> as many sources as possible like Michael Walker said.
>> On Sun, 28 Oct 2012 17:46:06 -0400 Patrick Hurst wrote:
>> > So why not use HTTPS?
>> Because it doesn't solve the problem.
>> Haskell-Cafe mailing list
>> Haskell-Cafe at haskell.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Haskell-Cafe