[Haskell-cafe] [Security] Put haskell.org on https

Patrick Mylund Nielsen haskell at patrickmylund.com
Mon Oct 29 02:06:49 CET 2012 

Sure. No matter what's done in Cabal, the clients for everything else will
still be mainly browsers.

On Mon, Oct 29, 2012 at 12:59 AM, Niklas Hambüchen <mail at nh2.me> wrote:

> No matter what we do with cabal, it would be great if I could soon point
> my browser at https://haskell.org *anyway*.
>
> On 28/10/12 23:55, Patrick Mylund Nielsen wrote:
> > Of course, as long as Cabal itself is distributed through this same
> > https-enabled site, you have the same PKI-backed security as just about
> > any major website. This model has problems, yes, but it's good enough,
> > and it's easy to use. If you really want to improve it (without
> > impacting usability), have Google/the browser vendors pin the public
> > cert for haskell.org <http://haskell.org>.
> >
> > On Mon, Oct 29, 2012 at 12:45 AM, Patrick Mylund Nielsen
> > <haskell at patrickmylund.com <mailto:haskell at patrickmylund.com>> wrote:
> >
> >     PGP tends to present many usability issues, and in this case it
> >     would make more sense/provide a clearer win if there were many
> >     different, semi-untrusted hackage mirrors. Just enable HTTPS and
> >     have Cabal validate the server certificate against a CA pool of one.
> >     PKI/trusting obscure certificate authorities in Egypt and Syria is
> >     the biggest concern here, not somebody MITMing your initial Cabal
> >     installation (which in a lot of cases happens through apt-get or
> >     yum, anyway.)
> >
> >
> >     On Mon, Oct 29, 2012 at 12:34 AM, Changaco <changaco at changaco.net
> >     <mailto:changaco at changaco.net>> wrote:
> >
> >         On Sun, 28 Oct 2012 17:07:24 -0400 Patrick Hurst wrote:
> >         > How do you get a copy of cabal while making sure that somebody
> >         hasn't MITMed you and replaced the PGP key?
> >
> >         Ultimately it is a DNS problem. To establish a secure connection
> >         with
> >         haskell.org <http://haskell.org> you'd have to get the
> >         certificate from the DNS, but that
> >         technology is not ready yet, so all you can do is check the key
> >         against
> >         as many sources as possible like Michael Walker said.
> >
> >         On Sun, 28 Oct 2012 17:46:06 -0400 Patrick Hurst wrote:
> >         > So why not use HTTPS?
> >
> >         Because it doesn't solve the problem.
> >
> >         _______________________________________________
> >         Haskell-Cafe mailing list
> >         Haskell-Cafe at haskell.org <mailto:Haskell-Cafe at haskell.org>
> >         http://www.haskell.org/mailman/listinfo/haskell-cafe
> >
> >
> >
> >
> >
> > _______________________________________________
> > Haskell-Cafe mailing list
> > Haskell-Cafe at haskell.org
> > http://www.haskell.org/mailman/listinfo/haskell-cafe
> >
>
> _______________________________________________
> Haskell-Cafe mailing list
> Haskell-Cafe at haskell.org
> http://www.haskell.org/mailman/listinfo/haskell-cafe
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.haskell.org/pipermail/haskell-cafe/attachments/20121029/49419eb7/attachment.htm>

More information about the Haskell-Cafe mailing list