[Haskell-cafe] [Security] Put haskell.org on https
Niklas Hambüchen
mail at nh2.me
Tue Oct 30 21:52:50 CET 2012
So how do we go forward about getting the SSL certificate and installing it?
On 29/10/12 01:06, Patrick Mylund Nielsen wrote:
> Sure. No matter what's done in Cabal, the clients for everything else
> will still be mainly browsers.
>
> On Mon, Oct 29, 2012 at 12:59 AM, Niklas Hambüchen <mail at nh2.me
> <mailto:mail at nh2.me>> wrote:
>
> No matter what we do with cabal, it would be great if I could soon point
> my browser at https://haskell.org *anyway*.
>
> On 28/10/12 23:55, Patrick Mylund Nielsen wrote:
> > Of course, as long as Cabal itself is distributed through this same
> > https-enabled site, you have the same PKI-backed security as just
> about
> > any major website. This model has problems, yes, but it's good enough,
> > and it's easy to use. If you really want to improve it (without
> > impacting usability), have Google/the browser vendors pin the public
> > cert for haskell.org <http://haskell.org> <http://haskell.org>.
> >
> > On Mon, Oct 29, 2012 at 12:45 AM, Patrick Mylund Nielsen
> > <haskell at patrickmylund.com <mailto:haskell at patrickmylund.com>
> <mailto:haskell at patrickmylund.com
> <mailto:haskell at patrickmylund.com>>> wrote:
> >
> > PGP tends to present many usability issues, and in this case it
> > would make more sense/provide a clearer win if there were many
> > different, semi-untrusted hackage mirrors. Just enable HTTPS and
> > have Cabal validate the server certificate against a CA pool
> of one.
> > PKI/trusting obscure certificate authorities in Egypt and Syria is
> > the biggest concern here, not somebody MITMing your initial Cabal
> > installation (which in a lot of cases happens through apt-get or
> > yum, anyway.)
> >
> >
> > On Mon, Oct 29, 2012 at 12:34 AM, Changaco
> <changaco at changaco.net <mailto:changaco at changaco.net>
> > <mailto:changaco at changaco.net <mailto:changaco at changaco.net>>>
> wrote:
> >
> > On Sun, 28 Oct 2012 17:07:24 -0400 Patrick Hurst wrote:
> > > How do you get a copy of cabal while making sure that
> somebody
> > hasn't MITMed you and replaced the PGP key?
> >
> > Ultimately it is a DNS problem. To establish a secure
> connection
> > with
> > haskell.org <http://haskell.org> <http://haskell.org>
> you'd have to get the
> > certificate from the DNS, but that
> > technology is not ready yet, so all you can do is check
> the key
> > against
> > as many sources as possible like Michael Walker said.
> >
> > On Sun, 28 Oct 2012 17:46:06 -0400 Patrick Hurst wrote:
> > > So why not use HTTPS?
> >
> > Because it doesn't solve the problem.
> >
> > _______________________________________________
> > Haskell-Cafe mailing list
> > Haskell-Cafe at haskell.org <mailto:Haskell-Cafe at haskell.org>
> <mailto:Haskell-Cafe at haskell.org <mailto:Haskell-Cafe at haskell.org>>
> > http://www.haskell.org/mailman/listinfo/haskell-cafe
> >
> >
> >
> >
> >
> > _______________________________________________
> > Haskell-Cafe mailing list
> > Haskell-Cafe at haskell.org <mailto:Haskell-Cafe at haskell.org>
> > http://www.haskell.org/mailman/listinfo/haskell-cafe
> >
>
> _______________________________________________
> Haskell-Cafe mailing list
> Haskell-Cafe at haskell.org <mailto:Haskell-Cafe at haskell.org>
> http://www.haskell.org/mailman/listinfo/haskell-cafe
>
>
More information about the Haskell-Cafe
mailing list