[Haskell-cafe] SSL support for hackage and cabal
Vincent Hanquez
tab at snarc.org
Mon Nov 4 06:24:21 UTC 2013
On 2013-11-03 17:48, Scott Lawrence wrote:
> One could argue that the potential for a false sense of security could
> make (very) bad encryption worse than no encryption.
>
Well. No, false sense of security is bad, however is has no link with
your absolute level of security.
Even bad cryptographic implementation provide some security in a sense,
at worse by obscurity
(which is very poor security, but not zero), and In the best case (of
the bad) a rather hard problem
for resource-less people.
Now i'm not saying that bad implementations are OK, and certainly I hope
that's not the case in tls,
but in the context where we got nothing, just as John Wiegley rightfully
mentioned, the risk is
quite small.
it's rather sad to see the "i'ld rather have *no* security whatsoever,
than maybe have some" hard line.
> Personally, I've always been a bit uncomfortable with the small number
> of widely-used implementations (AFAIK OpenSSL and GnuTLS combined
> account for pretty much all TLS-using open-source software), and I
> think pushing another one into wider usage would be a good thing
> (while acknowledging that it's likely more vulnerable than the older
> implementations).
>
That, and also that half of openssl CVE in the past 20 years were buffer
overflow/underflow.
Nothing to do with cryptography, but rather just simple memory management.
I think this got to give some security points for a (mostly) haskell
implementation.
--
Vincent
More information about the Haskell-Cafe
mailing list