Niklas Hambüchen | 28 Oct 01:20 2012

[Security] Put haskell.org on https

(I have mentioned this several times on #haskell, but nothing has
happened so far.)

Are you aware that all haskell.org websites (hackage, HaskellWiki, ghc
trac) allow unencrypted http connections only?

This means that everyone in the same Wifi can potentially

- read you passwords for all of these services

- abuse your hackage account and override arbitrary packages
  (especially since hackage allows everybody to override everything)

I propose we get an SSL certificate for haskell.org.
I also offer to donate that SSL certificate (or directly create it using
my Startcom account).

Niklas
José Pedro Magalhães | 28 Oct 07:37 2012
Picon

Re: [Security] Put haskell.org on https

+1


Pedro

On Sun, Oct 28, 2012 at 12:20 AM, Niklas Hambüchen <mail <at> nh2.me> wrote:
(I have mentioned this several times on #haskell, but nothing has
happened so far.)

Are you aware that all haskell.org websites (hackage, HaskellWiki, ghc
trac) allow unencrypted http connections only?

This means that everyone in the same Wifi can potentially

- read you passwords for all of these services

- abuse your hackage account and override arbitrary packages
  (especially since hackage allows everybody to override everything)


I propose we get an SSL certificate for haskell.org.
I also offer to donate that SSL certificate (or directly create it using
my Startcom account).

Niklas

_______________________________________________
Haskell-Cafe mailing list
Haskell-Cafe <at> haskell.org
http://www.haskell.org/mailman/listinfo/haskell-cafe

_______________________________________________
Haskell-Cafe mailing list
Haskell-Cafe <at> haskell.org
http://www.haskell.org/mailman/listinfo/haskell-cafe
Francesco Mazzoli | 28 Oct 09:27 2012
Picon

Re: [Security] Put haskell.org on https

At Sun, 28 Oct 2012 00:20:16 +0100,
Niklas Hambüchen wrote:
> (I have mentioned this several times on #haskell, but nothing has
> happened so far.)
> 
> Are you aware that all haskell.org websites (hackage, HaskellWiki, ghc
> trac) allow unencrypted http connections only?
> 
> This means that everyone in the same Wifi can potentially
> 
> - read you passwords for all of these services
> 
> - abuse your hackage account and override arbitrary packages
>   (especially since hackage allows everybody to override everything)
> 
> 
> I propose we get an SSL certificate for haskell.org.
> I also offer to donate that SSL certificate (or directly create it using
> my Startcom account).

Agreed, I can chip in - but I think a certificate is pretty cheap nowadays :).

--
Francesco

_______________________________________________
Haskell-Cafe mailing list
Haskell-Cafe <at> haskell.org
http://www.haskell.org/mailman/listinfo/haskell-cafe
Petr P | 28 Oct 09:51 2012
Picon

Re: [Security] Put haskell.org on https

2012/10/28 Francesco Mazzoli <f <at> mazzo.li>:
> At Sun, 28 Oct 2012 00:20:16 +0100,
> Niklas Hambüchen wrote:
>> (I have mentioned this several times on #haskell, but nothing has
>> happened so far.)
>>
>> Are you aware that all haskell.org websites (hackage, HaskellWiki, ghc
>> trac) allow unencrypted http connections only?
>>
>> This means that everyone in the same Wifi can potentially
>>
>> - read you passwords for all of these services
>>
>> - abuse your hackage account and override arbitrary packages
>>   (especially since hackage allows everybody to override everything)
>>
>>
>> I propose we get an SSL certificate for haskell.org.
>> I also offer to donate that SSL certificate (or directly create it using
>> my Startcom account).
>
> Agreed, I can chip in - but I think a certificate is pretty cheap nowadays :).

Good idea, I completely support it. Major sites like Google, Github,
BitBucket, etc. are https only nowadays.

Petr Pudlak
Ramana Kumar | 28 Oct 11:06 2012
Picon
Picon

Re: [Security] Put haskell.org on https

I support this proposal too.
More reasons to use HTTPS can be found at https://www.eff.org/https-everywhere/deploying-https

On Sun, Oct 28, 2012 at 8:51 AM, Petr P <petr.mvd <at> gmail.com> wrote:
2012/10/28 Francesco Mazzoli <f <at> mazzo.li>:
> At Sun, 28 Oct 2012 00:20:16 +0100,
> Niklas Hambüchen wrote:
>> (I have mentioned this several times on #haskell, but nothing has
>> happened so far.)
>>
>> Are you aware that all haskell.org websites (hackage, HaskellWiki, ghc
>> trac) allow unencrypted http connections only?
>>
>> This means that everyone in the same Wifi can potentially
>>
>> - read you passwords for all of these services
>>
>> - abuse your hackage account and override arbitrary packages
>>   (especially since hackage allows everybody to override everything)
>>
>>
>> I propose we get an SSL certificate for haskell.org.
>> I also offer to donate that SSL certificate (or directly create it using
>> my Startcom account).
>
> Agreed, I can chip in - but I think a certificate is pretty cheap nowadays :).

Good idea, I completely support it. Major sites like Google, Github,
BitBucket, etc. are https only nowadays.

Petr Pudlak

_______________________________________________
Haskell-Cafe mailing list
Haskell-Cafe <at> haskell.org
http://www.haskell.org/mailman/listinfo/haskell-cafe

_______________________________________________
Haskell-Cafe mailing list
Haskell-Cafe <at> haskell.org
http://www.haskell.org/mailman/listinfo/haskell-cafe
Dmitry Vyal | 28 Oct 11:59 2012
Picon

Re: [Security] Put haskell.org on https

On 10/28/2012 03:20 AM, Niklas Hambüchen wrote:
> - abuse your hackage account and override arbitrary packages
>    (especially since hackage allows everybody to override everything)
Does hackage at least store the logs of packages uploads? What's the 
reason or such a security model? I guess it was appropriate in the past 
when hackage was an experimental service, but now it's a standard way of 
distributing Haskell code. If anyone can update any package, we are 
waiting for the disaster. I have some haskell code I wrote myself 
running as root and these thoughts make me shiver.

Https is a must-have in current situation, but it's only part of a solution.
Francesco Mazzoli | 28 Oct 12:11 2012
Picon

Re: [Security] Put haskell.org on https

At Sun, 28 Oct 2012 14:59:00 +0400,
Dmitry Vyal wrote:
> Does hackage at least store the logs of packages uploads? What's the reason or
> such a security model? I guess it was appropriate in the past when hackage was
> an experimental service, but now it's a standard way of distributing Haskell
> code. If anyone can update any package, we are waiting for the disaster. I
> have some haskell code I wrote myself running as root and these thoughts make
> me shiver.

There is no good reason for it to be like that, it is truly bad.  Hackage2 has
been in the works for a while and will fix this "problem".  More information
here: <http://hackage.haskell.org/trac/hackage/wiki/HackageDB/2.0>.
Erik Hesselink | 28 Oct 13:28 2012
Picon

Re: [Security] Put haskell.org on https

While I would love to have hackage available (or even forced) over
https, I think the biggest reason it currently isn't, is that cabal
would then also need https support. This means the HTTP library would
need https support, which I've heard will be hard to implement
cross-platform (read: on Windows).

However, I guess providing https as an option is still a huge step
forwards compared to the current situation.

Erik

On Sun, Oct 28, 2012 at 1:20 AM, Niklas Hambüchen <mail <at> nh2.me> wrote:
> (I have mentioned this several times on #haskell, but nothing has
> happened so far.)
>
> Are you aware that all haskell.org websites (hackage, HaskellWiki, ghc
> trac) allow unencrypted http connections only?
>
> This means that everyone in the same Wifi can potentially
>
> - read you passwords for all of these services
>
> - abuse your hackage account and override arbitrary packages
>   (especially since hackage allows everybody to override everything)
>
>
> I propose we get an SSL certificate for haskell.org.
> I also offer to donate that SSL certificate (or directly create it using
> my Startcom account).
>
> Niklas
>
> _______________________________________________
> Haskell-Cafe mailing list
> Haskell-Cafe <at> haskell.org
> http://www.haskell.org/mailman/listinfo/haskell-cafe
Petr P | 28 Oct 13:38 2012
Picon

Re: [Security] Put haskell.org on https

  Erik,

does cabal need to do any authenticated stuff? For downloading
packages I think HTTP is perfectly fine. So we could have HTTP for
cabal download only and HTTPS for everything else.

  Best regards,
  Petr Pudlak

2012/10/28 Erik Hesselink <hesselink <at> gmail.com>:
> While I would love to have hackage available (or even forced) over
> https, I think the biggest reason it currently isn't, is that cabal
> would then also need https support. This means the HTTP library would
> need https support, which I've heard will be hard to implement
> cross-platform (read: on Windows).
>
> However, I guess providing https as an option is still a huge step
> forwards compared to the current situation.
>
> Erik
>
> On Sun, Oct 28, 2012 at 1:20 AM, Niklas Hambüchen <mail <at> nh2.me> wrote:
>> (I have mentioned this several times on #haskell, but nothing has
>> happened so far.)
>>
>> Are you aware that all haskell.org websites (hackage, HaskellWiki, ghc
>> trac) allow unencrypted http connections only?
>>
>> This means that everyone in the same Wifi can potentially
>>
>> - read you passwords for all of these services
>>
>> - abuse your hackage account and override arbitrary packages
>>   (especially since hackage allows everybody to override everything)
>>
>>
>> I propose we get an SSL certificate for haskell.org.
>> I also offer to donate that SSL certificate (or directly create it using
>> my Startcom account).
>>
>> Niklas
>>
>> _______________________________________________
>> Haskell-Cafe mailing list
>> Haskell-Cafe <at> haskell.org
>> http://www.haskell.org/mailman/listinfo/haskell-cafe
>
> _______________________________________________
> Haskell-Cafe mailing list
> Haskell-Cafe <at> haskell.org
> http://www.haskell.org/mailman/listinfo/haskell-cafe
Erik Hesselink | 28 Oct 13:42 2012
Picon

Re: [Security] Put haskell.org on https

I think it is only needed for 'cabal upload'. So if you upload via the
web only, you'd never send your password over plain HTTP.

Erik

On Sun, Oct 28, 2012 at 1:38 PM, Petr P <petr.mvd <at> gmail.com> wrote:
>   Erik,
>
> does cabal need to do any authenticated stuff? For downloading
> packages I think HTTP is perfectly fine. So we could have HTTP for
> cabal download only and HTTPS for everything else.
>
>   Best regards,
>   Petr Pudlak
>
> 2012/10/28 Erik Hesselink <hesselink <at> gmail.com>:
>> While I would love to have hackage available (or even forced) over
>> https, I think the biggest reason it currently isn't, is that cabal
>> would then also need https support. This means the HTTP library would
>> need https support, which I've heard will be hard to implement
>> cross-platform (read: on Windows).
>>
>> However, I guess providing https as an option is still a huge step
>> forwards compared to the current situation.
>>
>> Erik
>>
>> On Sun, Oct 28, 2012 at 1:20 AM, Niklas Hambüchen <mail <at> nh2.me> wrote:
>>> (I have mentioned this several times on #haskell, but nothing has
>>> happened so far.)
>>>
>>> Are you aware that all haskell.org websites (hackage, HaskellWiki, ghc
>>> trac) allow unencrypted http connections only?
>>>
>>> This means that everyone in the same Wifi can potentially
>>>
>>> - read you passwords for all of these services
>>>
>>> - abuse your hackage account and override arbitrary packages
>>>   (especially since hackage allows everybody to override everything)
>>>
>>>
>>> I propose we get an SSL certificate for haskell.org.
>>> I also offer to donate that SSL certificate (or directly create it using
>>> my Startcom account).
>>>
>>> Niklas
>>>
>>> _______________________________________________
>>> Haskell-Cafe mailing list
>>> Haskell-Cafe <at> haskell.org
>>> http://www.haskell.org/mailman/listinfo/haskell-cafe
>>
>> _______________________________________________
>> Haskell-Cafe mailing list
>> Haskell-Cafe <at> haskell.org
>> http://www.haskell.org/mailman/listinfo/haskell-cafe
Iustin Pop | 28 Oct 14:45 2012

Re: [Security] Put haskell.org on https

On Sun, Oct 28, 2012 at 01:38:46PM +0100, Petr P wrote:
>   Erik,
> 
> does cabal need to do any authenticated stuff? For downloading
> packages I think HTTP is perfectly fine. So we could have HTTP for
> cabal download only and HTTPS for everything else.

Kindly disagree here. Ensuring that packages are downloaded
safely/correctly without MITM attacks is also important. Even if as an
option.

regards,
iustin
Petr P | 28 Oct 15:53 2012
Picon

Re: [Security] Put haskell.org on https

2012/10/28 Iustin Pop <iusty <at> k1024.org>:
> On Sun, Oct 28, 2012 at 01:38:46PM +0100, Petr P wrote:
>> does cabal need to do any authenticated stuff? For downloading
>> packages I think HTTP is perfectly fine. So we could have HTTP for
>> cabal download only and HTTPS for everything else.
>
> Kindly disagree here. Ensuring that packages are downloaded
> safely/correctly without MITM attacks is also important. Even if as an
> option.

Good point. But if cabal+https is a problem, this could be solved by
other means too, for example by signing the packages.

Best regards,
Petr Pudlak
Iustin Pop | 28 Oct 16:06 2012

Re: [Security] Put haskell.org on https

On Sun, Oct 28, 2012 at 03:53:04PM +0100, Petr P wrote:
> 2012/10/28 Iustin Pop <iusty <at> k1024.org>:
> > On Sun, Oct 28, 2012 at 01:38:46PM +0100, Petr P wrote:
> >> does cabal need to do any authenticated stuff? For downloading
> >> packages I think HTTP is perfectly fine. So we could have HTTP for
> >> cabal download only and HTTPS for everything else.
> >
> > Kindly disagree here. Ensuring that packages are downloaded
> > safely/correctly without MITM attacks is also important. Even if as an
> > option.
> 
> Good point. But if cabal+https is a problem, this could be solved by
> other means too, for example by signing the packages.

Well, I agree, but then the same could be applied on upload too, like
Debian does - instead of user+pw, register a GPG key.

iustin
Changaco | 28 Oct 16:26 2012
Picon

Re: [Security] Put haskell.org on https

On Sun, 28 Oct 2012 14:45:02 +0100 Iustin Pop wrote:
> Kindly disagree here. Ensuring that packages are downloaded
> safely/correctly without MITM attacks is also important. Even if as an
> option.

HTTPS doesn't fully protect against a MITM since there is no shared
secret between client and server prior to the connection.

The MITM can use a self-signed certificate, or possibly a certificate
signed by a compromised CA.
Iustin Pop | 28 Oct 16:39 2012

Re: [Security] Put haskell.org on https

On Sun, Oct 28, 2012 at 04:26:07PM +0100, Changaco wrote:
> On Sun, 28 Oct 2012 14:45:02 +0100 Iustin Pop wrote:
> > Kindly disagree here. Ensuring that packages are downloaded
> > safely/correctly without MITM attacks is also important. Even if as an
> > option.
> 
> HTTPS doesn't fully protect against a MITM since there is no shared
> secret between client and server prior to the connection.
> 
> The MITM can use a self-signed certificate, or possibly a certificate
> signed by a compromised CA.

Sure, but I was talking about a proper certificate signed by a
well-known registrar, at which point the https client would default to
verify the signature against the system certificate store.

Yes, I'm fully aware that this is not fully safe, but I hope you agree
that https with a proper certificate is much better than plain http.

regards,
iustin
Changaco | 28 Oct 17:10 2012
Picon

Re: [Security] Put haskell.org on https

On Sun, 28 Oct 2012 16:39:10 +0100 Iustin Pop wrote:
> Sure, but I was talking about a proper certificate signed by a
> well-known registrar, at which point the https client would default to
> verify the signature against the system certificate store.

It doesn't matter what kind of certificate the server uses since the
client generally doesn't know about it, especially on first connection.
Some programs remember the certificate between uses and inform you
when it changes, but that's not perfect either.

> Yes, I'm fully aware that this is not fully safe, but I hope you agree
> that https with a proper certificate is much better than plain http.

I agree that X.509 provides some protection, but PGP is better.

My point was: when possible don't rely on X.509 for security, build a
Web of Trust instead.
Petr P | 28 Oct 17:46 2012
Picon

Re: [Security] Put haskell.org on https

2012/10/28 Changaco <changaco <at> changaco.net>:
> It doesn't matter what kind of certificate the server uses since the
> client generally doesn't know about it, especially on first connection.
> Some programs remember the certificate between uses and inform you
> when it changes, but that's not perfect either.

In this particular case, cabal can have the public part of the
certificate built-in (as it has the web address built in). So once one
has a verified installation of cabal, it can verify the server
packages without being susceptible to MitM attack (no matter if
they're PGP signed or X.509 signed).

Best regards,
Petr Pudlak
Changaco | 28 Oct 21:38 2012
Picon

Re: [Security] Put haskell.org on https

On Sun, 28 Oct 2012 17:46:10 +0100 Petr P wrote:
> In this particular case, cabal can have the public part of the
> certificate built-in (as it has the web address built in). So once one
> has a verified installation of cabal, it can verify the server
> packages without being susceptible to MitM attack (no matter if
> they're PGP signed or X.509 signed).

This is PGP's security model, so it's probably better to use PGP keys.
Patrick Hurst | 28 Oct 22:07 2012

Re: [Security] Put haskell.org on https


On Oct 28, 2012, at 4:38 PM, Changaco <changaco <at> changaco.net> wrote:

> On Sun, 28 Oct 2012 17:46:10 +0100 Petr P wrote:
>> In this particular case, cabal can have the public part of the
>> certificate built-in (as it has the web address built in). So once one
>> has a verified installation of cabal, it can verify the server
>> packages without being susceptible to MitM attack (no matter if
>> they're PGP signed or X.509 signed).
> 
> This is PGP's security model, so it's probably better to use PGP keys.

How do you get a copy of cabal while making sure that somebody hasn't MITMed you and replaced the PGP key?
Clark Gaebel | 28 Oct 22:25 2012
Picon
Picon

Re: [Security] Put haskell.org on https

Do it at home.

If you're at an internet cafe, though, it'd be nice if you could trust cabal packages.

    - Clark

On Sun, Oct 28, 2012 at 5:07 PM, Patrick Hurst <phurst <at> amateurtopologist.com> wrote:

On Oct 28, 2012, at 4:38 PM, Changaco <changaco <at> changaco.net> wrote:

> On Sun, 28 Oct 2012 17:46:10 +0100 Petr P wrote:
>> In this particular case, cabal can have the public part of the
>> certificate built-in (as it has the web address built in). So once one
>> has a verified installation of cabal, it can verify the server
>> packages without being susceptible to MitM attack (no matter if
>> they're PGP signed or X.509 signed).
>
> This is PGP's security model, so it's probably better to use PGP keys.


How do you get a copy of cabal while making sure that somebody hasn't MITMed you and replaced the PGP key?
_______________________________________________
Haskell-Cafe mailing list
Haskell-Cafe <at> haskell.org
http://www.haskell.org/mailman/listinfo/haskell-cafe

_______________________________________________
Haskell-Cafe mailing list
Haskell-Cafe <at> haskell.org
http://www.haskell.org/mailman/listinfo/haskell-cafe
Michael Walker | 28 Oct 22:43 2012
Picon

Re: [Security] Put haskell.org on https

> How do you get a copy of cabal while making sure that somebody hasn't
> MITMed you and replaced the PGP key?

You don't. Somewhere, you just have to trust that nothing went awry.
The best thing to do is just to make it as difficult as possible for an
attacker to be successful - make the PGP keys widely known and have a
lot of people sign them.

--

-- 
Michael Walker (http://www.barrucadu.co.uk)
_______________________________________________
Haskell-Cafe mailing list
Haskell-Cafe <at> haskell.org
http://www.haskell.org/mailman/listinfo/haskell-cafe
Patrick Hurst | 28 Oct 22:46 2012

Re: [Security] Put haskell.org on https

So why not use HTTPS?

October 28, 2012 5:43 PM

You don't. Somewhere, you just have to trust that nothing went awry.
The best thing to do is just to make it as difficult as possible for an
attacker to be successful - make the PGP keys widely known and have a
lot of people sign them.

_______________________________________________
Haskell-Cafe mailing list
Haskell-Cafe <at> haskell.org
http://www.haskell.org/mailman/listinfo/haskell-cafe
October 28, 2012 4:38 PM

This is PGP's security model, so it's probably better to use PGP keys.

_______________________________________________
Haskell-Cafe mailing list
Haskell-Cafe <at> haskell.org
http://www.haskell.org/mailman/listinfo/haskell-cafe
_______________________________________________
Haskell-Cafe mailing list
Haskell-Cafe <at> haskell.org
http://www.haskell.org/mailman/listinfo/haskell-cafe
Changaco | 29 Oct 00:34 2012
Picon

Re: [Security] Put haskell.org on https

On Sun, 28 Oct 2012 17:07:24 -0400 Patrick Hurst wrote:
> How do you get a copy of cabal while making sure that somebody hasn't MITMed you and replaced the PGP key?

Ultimately it is a DNS problem. To establish a secure connection with
haskell.org you'd have to get the certificate from the DNS, but that
technology is not ready yet, so all you can do is check the key against
as many sources as possible like Michael Walker said.

On Sun, 28 Oct 2012 17:46:06 -0400 Patrick Hurst wrote:
> So why not use HTTPS?

Because it doesn't solve the problem.
Patrick Mylund Nielsen | 29 Oct 00:45 2012

Re: [Security] Put haskell.org on https

PGP tends to present many usability issues, and in this case it would make more sense/provide a clearer win if there were many different, semi-untrusted hackage mirrors. Just enable HTTPS and have Cabal validate the server certificate against a CA pool of one. PKI/trusting obscure certificate authorities in Egypt and Syria is the biggest concern here, not somebody MITMing your initial Cabal installation (which in a lot of cases happens through apt-get or yum, anyway.)

On Mon, Oct 29, 2012 at 12:34 AM, Changaco <changaco <at> changaco.net> wrote:
On Sun, 28 Oct 2012 17:07:24 -0400 Patrick Hurst wrote:
> How do you get a copy of cabal while making sure that somebody hasn't MITMed you and replaced the PGP key?

Ultimately it is a DNS problem. To establish a secure connection with
haskell.org you'd have to get the certificate from the DNS, but that
technology is not ready yet, so all you can do is check the key against
as many sources as possible like Michael Walker said.

On Sun, 28 Oct 2012 17:46:06 -0400 Patrick Hurst wrote:
> So why not use HTTPS?

Because it doesn't solve the problem.

_______________________________________________
Haskell-Cafe mailing list
Haskell-Cafe <at> haskell.org
http://www.haskell.org/mailman/listinfo/haskell-cafe

_______________________________________________
Haskell-Cafe mailing list
Haskell-Cafe <at> haskell.org
http://www.haskell.org/mailman/listinfo/haskell-cafe
Patrick Mylund Nielsen | 29 Oct 00:55 2012

Re: [Security] Put haskell.org on https

Of course, as long as Cabal itself is distributed through this same https-enabled site, you have the same PKI-backed security as just about any major website. This model has problems, yes, but it's good enough, and it's easy to use. If you really want to improve it (without impacting usability), have Google/the browser vendors pin the public cert for haskell.org.

On Mon, Oct 29, 2012 at 12:45 AM, Patrick Mylund Nielsen <haskell <at> patrickmylund.com> wrote:
PGP tends to present many usability issues, and in this case it would make more sense/provide a clearer win if there were many different, semi-untrusted hackage mirrors. Just enable HTTPS and have Cabal validate the server certificate against a CA pool of one. PKI/trusting obscure certificate authorities in Egypt and Syria is the biggest concern here, not somebody MITMing your initial Cabal installation (which in a lot of cases happens through apt-get or yum, anyway.)


On Mon, Oct 29, 2012 at 12:34 AM, Changaco <changaco <at> changaco.net> wrote:
On Sun, 28 Oct 2012 17:07:24 -0400 Patrick Hurst wrote:
> How do you get a copy of cabal while making sure that somebody hasn't MITMed you and replaced the PGP key?

Ultimately it is a DNS problem. To establish a secure connection with
haskell.org you'd have to get the certificate from the DNS, but that
technology is not ready yet, so all you can do is check the key against
as many sources as possible like Michael Walker said.

On Sun, 28 Oct 2012 17:46:06 -0400 Patrick Hurst wrote:
> So why not use HTTPS?

Because it doesn't solve the problem.

_______________________________________________
Haskell-Cafe mailing list
Haskell-Cafe <at> haskell.org
http://www.haskell.org/mailman/listinfo/haskell-cafe


_______________________________________________
Haskell-Cafe mailing list
Haskell-Cafe <at> haskell.org
http://www.haskell.org/mailman/listinfo/haskell-cafe
Niklas Hambüchen | 29 Oct 00:59 2012

Re: [Security] Put haskell.org on https

No matter what we do with cabal, it would be great if I could soon point
my browser at https://haskell.org *anyway*.

On 28/10/12 23:55, Patrick Mylund Nielsen wrote:
> Of course, as long as Cabal itself is distributed through this same
> https-enabled site, you have the same PKI-backed security as just about
> any major website. This model has problems, yes, but it's good enough,
> and it's easy to use. If you really want to improve it (without
> impacting usability), have Google/the browser vendors pin the public
> cert for haskell.org <http://haskell.org>.
> 
> On Mon, Oct 29, 2012 at 12:45 AM, Patrick Mylund Nielsen
> <haskell <at> patrickmylund.com <mailto:haskell <at> patrickmylund.com>> wrote:
> 
>     PGP tends to present many usability issues, and in this case it
>     would make more sense/provide a clearer win if there were many
>     different, semi-untrusted hackage mirrors. Just enable HTTPS and
>     have Cabal validate the server certificate against a CA pool of one.
>     PKI/trusting obscure certificate authorities in Egypt and Syria is
>     the biggest concern here, not somebody MITMing your initial Cabal
>     installation (which in a lot of cases happens through apt-get or
>     yum, anyway.)
> 
> 
>     On Mon, Oct 29, 2012 at 12:34 AM, Changaco <changaco <at> changaco.net
>     <mailto:changaco <at> changaco.net>> wrote:
> 
>         On Sun, 28 Oct 2012 17:07:24 -0400 Patrick Hurst wrote:
>         > How do you get a copy of cabal while making sure that somebody
>         hasn't MITMed you and replaced the PGP key?
> 
>         Ultimately it is a DNS problem. To establish a secure connection
>         with
>         haskell.org <http://haskell.org> you'd have to get the
>         certificate from the DNS, but that
>         technology is not ready yet, so all you can do is check the key
>         against
>         as many sources as possible like Michael Walker said.
> 
>         On Sun, 28 Oct 2012 17:46:06 -0400 Patrick Hurst wrote:
>         > So why not use HTTPS?
> 
>         Because it doesn't solve the problem.
> 
>         _______________________________________________
>         Haskell-Cafe mailing list
>         Haskell-Cafe <at> haskell.org <mailto:Haskell-Cafe <at> haskell.org>
>         http://www.haskell.org/mailman/listinfo/haskell-cafe
> 
> 
> 
> 
> 
> _______________________________________________
> Haskell-Cafe mailing list
> Haskell-Cafe <at> haskell.org
> http://www.haskell.org/mailman/listinfo/haskell-cafe
> 
Patrick Mylund Nielsen | 29 Oct 02:06 2012

Re: [Security] Put haskell.org on https

Sure. No matter what's done in Cabal, the clients for everything else will still be mainly browsers.

On Mon, Oct 29, 2012 at 12:59 AM, Niklas Hambüchen <mail <at> nh2.me> wrote:
No matter what we do with cabal, it would be great if I could soon point
my browser at https://haskell.org *anyway*.

On 28/10/12 23:55, Patrick Mylund Nielsen wrote:
> Of course, as long as Cabal itself is distributed through this same
> https-enabled site, you have the same PKI-backed security as just about
> any major website. This model has problems, yes, but it's good enough,
> and it's easy to use. If you really want to improve it (without
> impacting usability), have Google/the browser vendors pin the public
> cert for haskell.org <http://haskell.org>.
>
> On Mon, Oct 29, 2012 at 12:45 AM, Patrick Mylund Nielsen
> <haskell <at> patrickmylund.com <mailto:haskell <at> patrickmylund.com>> wrote:
>
>     PGP tends to present many usability issues, and in this case it
>     would make more sense/provide a clearer win if there were many
>     different, semi-untrusted hackage mirrors. Just enable HTTPS and
>     have Cabal validate the server certificate against a CA pool of one.
>     PKI/trusting obscure certificate authorities in Egypt and Syria is
>     the biggest concern here, not somebody MITMing your initial Cabal
>     installation (which in a lot of cases happens through apt-get or
>     yum, anyway.)
>
>
>     On Mon, Oct 29, 2012 at 12:34 AM, Changaco <changaco <at> changaco.net
>     <mailto:changaco <at> changaco.net>> wrote:
>
>         On Sun, 28 Oct 2012 17:07:24 -0400 Patrick Hurst wrote:
>         > How do you get a copy of cabal while making sure that somebody
>         hasn't MITMed you and replaced the PGP key?
>
>         Ultimately it is a DNS problem. To establish a secure connection
>         with
>         haskell.org <http://haskell.org> you'd have to get the
>         certificate from the DNS, but that
>         technology is not ready yet, so all you can do is check the key
>         against
>         as many sources as possible like Michael Walker said.
>
>         On Sun, 28 Oct 2012 17:46:06 -0400 Patrick Hurst wrote:
>         > So why not use HTTPS?
>
>         Because it doesn't solve the problem.
>
>         _______________________________________________
>         Haskell-Cafe mailing list
>         Haskell-Cafe <at> haskell.org <mailto:Haskell-Cafe <at> haskell.org>
>         http://www.haskell.org/mailman/listinfo/haskell-cafe
>
>
>
>
>
> _______________________________________________
> Haskell-Cafe mailing list
> Haskell-Cafe <at> haskell.org
> http://www.haskell.org/mailman/listinfo/haskell-cafe
>

_______________________________________________
Haskell-Cafe mailing list
Haskell-Cafe <at> haskell.org
http://www.haskell.org/mailman/listinfo/haskell-cafe

_______________________________________________
Haskell-Cafe mailing list
Haskell-Cafe <at> haskell.org
http://www.haskell.org/mailman/listinfo/haskell-cafe
Niklas Hambüchen | 30 Oct 21:52 2012

Re: [Security] Put haskell.org on https

So how do we go forward about getting the SSL certificate and installing it?

On 29/10/12 01:06, Patrick Mylund Nielsen wrote:
> Sure. No matter what's done in Cabal, the clients for everything else
> will still be mainly browsers.
> 
> On Mon, Oct 29, 2012 at 12:59 AM, Niklas Hambüchen <mail <at> nh2.me
> <mailto:mail <at> nh2.me>> wrote:
> 
>     No matter what we do with cabal, it would be great if I could soon point
>     my browser at https://haskell.org *anyway*.
> 
>     On 28/10/12 23:55, Patrick Mylund Nielsen wrote:
>     > Of course, as long as Cabal itself is distributed through this same
>     > https-enabled site, you have the same PKI-backed security as just
>     about
>     > any major website. This model has problems, yes, but it's good enough,
>     > and it's easy to use. If you really want to improve it (without
>     > impacting usability), have Google/the browser vendors pin the public
>     > cert for haskell.org <http://haskell.org> <http://haskell.org>.
>     >
>     > On Mon, Oct 29, 2012 at 12:45 AM, Patrick Mylund Nielsen
>     > <haskell <at> patrickmylund.com <mailto:haskell <at> patrickmylund.com>
>     <mailto:haskell <at> patrickmylund.com
>     <mailto:haskell <at> patrickmylund.com>>> wrote:
>     >
>     >     PGP tends to present many usability issues, and in this case it
>     >     would make more sense/provide a clearer win if there were many
>     >     different, semi-untrusted hackage mirrors. Just enable HTTPS and
>     >     have Cabal validate the server certificate against a CA pool
>     of one.
>     >     PKI/trusting obscure certificate authorities in Egypt and Syria is
>     >     the biggest concern here, not somebody MITMing your initial Cabal
>     >     installation (which in a lot of cases happens through apt-get or
>     >     yum, anyway.)
>     >
>     >
>     >     On Mon, Oct 29, 2012 at 12:34 AM, Changaco
>     <changaco <at> changaco.net <mailto:changaco <at> changaco.net>
>     >     <mailto:changaco <at> changaco.net <mailto:changaco <at> changaco.net>>>
>     wrote:
>     >
>     >         On Sun, 28 Oct 2012 17:07:24 -0400 Patrick Hurst wrote:
>     >         > How do you get a copy of cabal while making sure that
>     somebody
>     >         hasn't MITMed you and replaced the PGP key?
>     >
>     >         Ultimately it is a DNS problem. To establish a secure
>     connection
>     >         with
>     >         haskell.org <http://haskell.org> <http://haskell.org>
>     you'd have to get the
>     >         certificate from the DNS, but that
>     >         technology is not ready yet, so all you can do is check
>     the key
>     >         against
>     >         as many sources as possible like Michael Walker said.
>     >
>     >         On Sun, 28 Oct 2012 17:46:06 -0400 Patrick Hurst wrote:
>     >         > So why not use HTTPS?
>     >
>     >         Because it doesn't solve the problem.
>     >
>     >         _______________________________________________
>     >         Haskell-Cafe mailing list
>     >         Haskell-Cafe <at> haskell.org <mailto:Haskell-Cafe <at> haskell.org>
>     <mailto:Haskell-Cafe <at> haskell.org <mailto:Haskell-Cafe <at> haskell.org>>
>     >         http://www.haskell.org/mailman/listinfo/haskell-cafe
>     >
>     >
>     >
>     >
>     >
>     > _______________________________________________
>     > Haskell-Cafe mailing list
>     > Haskell-Cafe <at> haskell.org <mailto:Haskell-Cafe <at> haskell.org>
>     > http://www.haskell.org/mailman/listinfo/haskell-cafe
>     >
> 
>     _______________________________________________
>     Haskell-Cafe mailing list
>     Haskell-Cafe <at> haskell.org <mailto:Haskell-Cafe <at> haskell.org>
>     http://www.haskell.org/mailman/listinfo/haskell-cafe
> 
> 

_______________________________________________
Haskell-Cafe mailing list
Haskell-Cafe <at> haskell.org
http://www.haskell.org/mailman/listinfo/haskell-cafe
Ramana Kumar | 2 Nov 13:14 2012
Picon
Picon

Re: [Security] Put haskell.org on https

Who is the webmaster for haskell.org? Presumably they will be required in the process of installing the certificate.

As far as obtaining goes, one can obtain a free certificate from StartSSL - see https://www.startssl.com
There are other CAs, but if nobody has any strong preferences, I recommend going with them.


On Tue, Oct 30, 2012 at 8:52 PM, Niklas Hambüchen <mail <at> nh2.me> wrote:
So how do we go forward about getting the SSL certificate and installing it?

On 29/10/12 01:06, Patrick Mylund Nielsen wrote:
> Sure. No matter what's done in Cabal, the clients for everything else
> will still be mainly browsers.
>
> On Mon, Oct 29, 2012 at 12:59 AM, Niklas Hambüchen <mail <at> nh2.me
> <mailto:mail <at> nh2.me>> wrote:
>
>     No matter what we do with cabal, it would be great if I could soon point
>     my browser at https://haskell.org *anyway*.
>
>     On 28/10/12 23:55, Patrick Mylund Nielsen wrote:
>     > Of course, as long as Cabal itself is distributed through this same
>     > https-enabled site, you have the same PKI-backed security as just
>     about
>     > any major website. This model has problems, yes, but it's good enough,
>     > and it's easy to use. If you really want to improve it (without
>     > impacting usability), have Google/the browser vendors pin the public
>     > cert for haskell.org <http://haskell.org> <http://haskell.org>.
>     >
>     > On Mon, Oct 29, 2012 at 12:45 AM, Patrick Mylund Nielsen
>     > <haskell <at> patrickmylund.com <mailto:haskell <at> patrickmylund.com>
>     <mailto:haskell <at> patrickmylund.com
>     <mailto:haskell <at> patrickmylund.com>>> wrote:
>     >
>     >     PGP tends to present many usability issues, and in this case it
>     >     would make more sense/provide a clearer win if there were many
>     >     different, semi-untrusted hackage mirrors. Just enable HTTPS and
>     >     have Cabal validate the server certificate against a CA pool
>     of one.
>     >     PKI/trusting obscure certificate authorities in Egypt and Syria is
>     >     the biggest concern here, not somebody MITMing your initial Cabal
>     >     installation (which in a lot of cases happens through apt-get or
>     >     yum, anyway.)
>     >
>     >
>     >     On Mon, Oct 29, 2012 at 12:34 AM, Changaco
>     <changaco <at> changaco.net <mailto:changaco <at> changaco.net>
>     >     <mailto:changaco <at> changaco.net <mailto:changaco <at> changaco.net>>>
>     wrote:
>     >
>     >         On Sun, 28 Oct 2012 17:07:24 -0400 Patrick Hurst wrote:
>     >         > How do you get a copy of cabal while making sure that
>     somebody
>     >         hasn't MITMed you and replaced the PGP key?
>     >
>     >         Ultimately it is a DNS problem. To establish a secure
>     connection
>     >         with
>     >         haskell.org <http://haskell.org> <http://haskell.org>
>     you'd have to get the
>     >         certificate from the DNS, but that
>     >         technology is not ready yet, so all you can do is check
>     the key
>     >         against
>     >         as many sources as possible like Michael Walker said.
>     >
>     >         On Sun, 28 Oct 2012 17:46:06 -0400 Patrick Hurst wrote:
>     >         > So why not use HTTPS?
>     >
>     >         Because it doesn't solve the problem.
>     >
>     >         _______________________________________________
>     >         Haskell-Cafe mailing list
>     >         Haskell-Cafe <at> haskell.org <mailto:Haskell-Cafe <at> haskell.org>
>     <mailto:Haskell-Cafe <at> haskell.org <mailto:Haskell-Cafe <at> haskell.org>>
>     >         http://www.haskell.org/mailman/listinfo/haskell-cafe
>     >
>     >
>     >
>     >
>     >
>     > _______________________________________________
>     > Haskell-Cafe mailing list
>     > Haskell-Cafe <at> haskell.org <mailto:Haskell-Cafe <at> haskell.org>
>     > http://www.haskell.org/mailman/listinfo/haskell-cafe
>     >
>
>     _______________________________________________
>     Haskell-Cafe mailing list
>     Haskell-Cafe <at> haskell.org <mailto:Haskell-Cafe <at> haskell.org>
>     http://www.haskell.org/mailman/listinfo/haskell-cafe
>
>

_______________________________________________
Haskell-Cafe mailing list
Haskell-Cafe <at> haskell.org
http://www.haskell.org/mailman/listinfo/haskell-cafe

_______________________________________________
Haskell-Cafe mailing list
Haskell-Cafe <at> haskell.org
http://www.haskell.org/mailman/listinfo/haskell-cafe
Iavor Diatchki | 2 Nov 18:34 2012
Picon

Re: [Security] Put haskell.org on https

Hello,


I think that getting a certificate is a good idea.  I think this could probably be arranged by the haskell.org committee, which even has a budget for things like that, I believe.  I'm cc-ing Jason, who's on the committee and might have more input on what's the best way to proceed. 

Thanks for bringing this up!
-Iavor


On Fri, Nov 2, 2012 at 5:14 AM, Ramana Kumar <Ramana.Kumar <at> cl.cam.ac.uk> wrote:
Who is the webmaster for haskell.org? Presumably they will be required in the process of installing the certificate.

As far as obtaining goes, one can obtain a free certificate from StartSSL - see https://www.startssl.com
There are other CAs, but if nobody has any strong preferences, I recommend going with them.


On Tue, Oct 30, 2012 at 8:52 PM, Niklas Hambüchen <mail <at> nh2.me> wrote:
So how do we go forward about getting the SSL certificate and installing it?

On 29/10/12 01:06, Patrick Mylund Nielsen wrote:
> Sure. No matter what's done in Cabal, the clients for everything else
> will still be mainly browsers.
>
> On Mon, Oct 29, 2012 at 12:59 AM, Niklas Hambüchen <mail <at> nh2.me
> <mailto:mail <at> nh2.me>> wrote:
>
>     No matter what we do with cabal, it would be great if I could soon point
>     my browser at https://haskell.org *anyway*.
>
>     On 28/10/12 23:55, Patrick Mylund Nielsen wrote:
>     > Of course, as long as Cabal itself is distributed through this same
>     > https-enabled site, you have the same PKI-backed security as just
>     about
>     > any major website. This model has problems, yes, but it's good enough,
>     > and it's easy to use. If you really want to improve it (without
>     > impacting usability), have Google/the browser vendors pin the public
>     > cert for haskell.org <http://haskell.org> <http://haskell.org>.
>     >
>     > On Mon, Oct 29, 2012 at 12:45 AM, Patrick Mylund Nielsen
>     > <haskell <at> patrickmylund.com <mailto:haskell <at> patrickmylund.com>
>     <mailto:haskell <at> patrickmylund.com
>     <mailto:haskell <at> patrickmylund.com>>> wrote:
>     >
>     >     PGP tends to present many usability issues, and in this case it
>     >     would make more sense/provide a clearer win if there were many
>     >     different, semi-untrusted hackage mirrors. Just enable HTTPS and
>     >     have Cabal validate the server certificate against a CA pool
>     of one.
>     >     PKI/trusting obscure certificate authorities in Egypt and Syria is
>     >     the biggest concern here, not somebody MITMing your initial Cabal
>     >     installation (which in a lot of cases happens through apt-get or
>     >     yum, anyway.)
>     >
>     >
>     >     On Mon, Oct 29, 2012 at 12:34 AM, Changaco
>     <changaco <at> changaco.net <mailto:changaco <at> changaco.net>
>     >     <mailto:changaco <at> changaco.net <mailto:changaco <at> changaco.net>>>
>     wrote:
>     >
>     >         On Sun, 28 Oct 2012 17:07:24 -0400 Patrick Hurst wrote:
>     >         > How do you get a copy of cabal while making sure that
>     somebody
>     >         hasn't MITMed you and replaced the PGP key?
>     >
>     >         Ultimately it is a DNS problem. To establish a secure
>     connection
>     >         with
>     >         haskell.org <http://haskell.org> <http://haskell.org>
>     you'd have to get the
>     >         certificate from the DNS, but that
>     >         technology is not ready yet, so all you can do is check
>     the key
>     >         against
>     >         as many sources as possible like Michael Walker said.
>     >
>     >         On Sun, 28 Oct 2012 17:46:06 -0400 Patrick Hurst wrote:
>     >         > So why not use HTTPS?
>     >
>     >         Because it doesn't solve the problem.
>     >
>     >         _______________________________________________
>     >         Haskell-Cafe mailing list
>     >         Haskell-Cafe <at> haskell.org <mailto:Haskell-Cafe <at> haskell.org>
>     <mailto:Haskell-Cafe <at> haskell.org <mailto:Haskell-Cafe <at> haskell.org>>
>     >         http://www.haskell.org/mailman/listinfo/haskell-cafe
>     >
>     >
>     >
>     >
>     >
>     > _______________________________________________
>     > Haskell-Cafe mailing list
>     > Haskell-Cafe <at> haskell.org <mailto:Haskell-Cafe <at> haskell.org>
>     > http://www.haskell.org/mailman/listinfo/haskell-cafe
>     >
>
>     _______________________________________________
>     Haskell-Cafe mailing list
>     Haskell-Cafe <at> haskell.org <mailto:Haskell-Cafe <at> haskell.org>
>     http://www.haskell.org/mailman/listinfo/haskell-cafe
>
>

_______________________________________________
Haskell-Cafe mailing list
Haskell-Cafe <at> haskell.org
http://www.haskell.org/mailman/listinfo/haskell-cafe


_______________________________________________
Haskell-Cafe mailing list
Haskell-Cafe <at> haskell.org
http://www.haskell.org/mailman/listinfo/haskell-cafe


_______________________________________________
Haskell-Cafe mailing list
Haskell-Cafe <at> haskell.org
http://www.haskell.org/mailman/listinfo/haskell-cafe
Jason Dagit | 2 Nov 18:49 2012

Re: [Security] Put haskell.org on https

Thanks Iavor et al.


I agree. I'll see what we can do. We have budget for this so hopefully it will be a simple matter of finding people to implement the change.

Jason

On Fri, Nov 2, 2012 at 10:34 AM, Iavor Diatchki <iavor.diatchki <at> gmail.com> wrote:
Hello,

I think that getting a certificate is a good idea.  I think this could probably be arranged by the haskell.org committee, which even has a budget for things like that, I believe.  I'm cc-ing Jason, who's on the committee and might have more input on what's the best way to proceed. 

Thanks for bringing this up!
-Iavor


On Fri, Nov 2, 2012 at 5:14 AM, Ramana Kumar <Ramana.Kumar <at> cl.cam.ac.uk> wrote:
Who is the webmaster for haskell.org? Presumably they will be required in the process of installing the certificate.

As far as obtaining goes, one can obtain a free certificate from StartSSL - see https://www.startssl.com
There are other CAs, but if nobody has any strong preferences, I recommend going with them.


On Tue, Oct 30, 2012 at 8:52 PM, Niklas Hambüchen <mail <at> nh2.me> wrote:
So how do we go forward about getting the SSL certificate and installing it?

On 29/10/12 01:06, Patrick Mylund Nielsen wrote:
> Sure. No matter what's done in Cabal, the clients for everything else
> will still be mainly browsers.
>
> On Mon, Oct 29, 2012 at 12:59 AM, Niklas Hambüchen <mail <at> nh2.me
> <mailto:mail <at> nh2.me>> wrote:
>
>     No matter what we do with cabal, it would be great if I could soon point
>     my browser at https://haskell.org *anyway*.
>
>     On 28/10/12 23:55, Patrick Mylund Nielsen wrote:
>     > Of course, as long as Cabal itself is distributed through this same
>     > https-enabled site, you have the same PKI-backed security as just
>     about
>     > any major website. This model has problems, yes, but it's good enough,
>     > and it's easy to use. If you really want to improve it (without
>     > impacting usability), have Google/the browser vendors pin the public
>     > cert for haskell.org <http://haskell.org> <http://haskell.org>.
>     >
>     > On Mon, Oct 29, 2012 at 12:45 AM, Patrick Mylund Nielsen
>     > <haskell <at> patrickmylund.com <mailto:haskell <at> patrickmylund.com>
>     <mailto:haskell <at> patrickmylund.com
>     <mailto:haskell <at> patrickmylund.com>>> wrote:
>     >
>     >     PGP tends to present many usability issues, and in this case it
>     >     would make more sense/provide a clearer win if there were many
>     >     different, semi-untrusted hackage mirrors. Just enable HTTPS and
>     >     have Cabal validate the server certificate against a CA pool
>     of one.
>     >     PKI/trusting obscure certificate authorities in Egypt and Syria is
>     >     the biggest concern here, not somebody MITMing your initial Cabal
>     >     installation (which in a lot of cases happens through apt-get or
>     >     yum, anyway.)
>     >
>     >
>     >     On Mon, Oct 29, 2012 at 12:34 AM, Changaco
>     <changaco <at> changaco.net <mailto:changaco <at> changaco.net>
>     >     <mailto:changaco <at> changaco.net <mailto:changaco <at> changaco.net>>>
>     wrote:
>     >
>     >         On Sun, 28 Oct 2012 17:07:24 -0400 Patrick Hurst wrote:
>     >         > How do you get a copy of cabal while making sure that
>     somebody
>     >         hasn't MITMed you and replaced the PGP key?
>     >
>     >         Ultimately it is a DNS problem. To establish a secure
>     connection
>     >         with
>     >         haskell.org <http://haskell.org> <http://haskell.org>
>     you'd have to get the
>     >         certificate from the DNS, but that
>     >         technology is not ready yet, so all you can do is check
>     the key
>     >         against
>     >         as many sources as possible like Michael Walker said.
>     >
>     >         On Sun, 28 Oct 2012 17:46:06 -0400 Patrick Hurst wrote:
>     >         > So why not use HTTPS?
>     >
>     >         Because it doesn't solve the problem.
>     >
>     >         _______________________________________________
>     >         Haskell-Cafe mailing list
>     >         Haskell-Cafe <at> haskell.org <mailto:Haskell-Cafe <at> haskell.org>
>     <mailto:Haskell-Cafe <at> haskell.org <mailto:Haskell-Cafe <at> haskell.org>>
>     >         http://www.haskell.org/mailman/listinfo/haskell-cafe
>     >
>     >
>     >
>     >
>     >
>     > _______________________________________________
>     > Haskell-Cafe mailing list
>     > Haskell-Cafe <at> haskell.org <mailto:Haskell-Cafe <at> haskell.org>
>     > http://www.haskell.org/mailman/listinfo/haskell-cafe
>     >
>
>     _______________________________________________
>     Haskell-Cafe mailing list
>     Haskell-Cafe <at> haskell.org <mailto:Haskell-Cafe <at> haskell.org>
>     http://www.haskell.org/mailman/listinfo/haskell-cafe
>
>

_______________________________________________
Haskell-Cafe mailing list
Haskell-Cafe <at> haskell.org
http://www.haskell.org/mailman/listinfo/haskell-cafe


_______________________________________________
Haskell-Cafe mailing list
Haskell-Cafe <at> haskell.org
http://www.haskell.org/mailman/listinfo/haskell-cafe



_______________________________________________
Haskell-Cafe mailing list
Haskell-Cafe <at> haskell.org
http://www.haskell.org/mailman/listinfo/haskell-cafe
Iustin Pop | 28 Oct 19:16 2012

Re: [Security] Put haskell.org on https

On Sun, Oct 28, 2012 at 05:10:39PM +0100, Changaco wrote:
> On Sun, 28 Oct 2012 16:39:10 +0100 Iustin Pop wrote:
> > Sure, but I was talking about a proper certificate signed by a
> > well-known registrar, at which point the https client would default to
> > verify the signature against the system certificate store.
> 
> It doesn't matter what kind of certificate the server uses since the
> client generally doesn't know about it, especially on first connection.
> Some programs remember the certificate between uses and inform you
> when it changes, but that's not perfect either.

The client doesn't have to know about it, if it can verify a chain of
trust via the system cert store, as I said above.

regards,
iustin
Patrick Hurst | 28 Oct 19:45 2012

Re: [Security] Put haskell.org on https


On Oct 28, 2012, at 12:10 PM, Changaco <changaco <at> changaco.net> wrote:

> On Sun, 28 Oct 2012 16:39:10 +0100 Iustin Pop wrote:
>> Sure, but I was talking about a proper certificate signed by a
>> well-known registrar, at which point the https client would default to
>> verify the signature against the system certificate store.
> 
> It doesn't matter what kind of certificate the server uses since the
> client generally doesn't know about it, especially on first connection.
> Some programs remember the certificate between uses and inform you
> when it changes, but that's not perfect either.
> 
>> Yes, I'm fully aware that this is not fully safe, but I hope you agree
>> that https with a proper certificate is much better than plain http.
> 
> I agree that X.509 provides some protection, but PGP is better.
> 
> My point was: when possible don't rely on X.509 for security, build a
> Web of Trust instead.
> 

The reason HTTPS works is that most operating systems will have a list of some number of root CAs (or a way to
get them via some other channel that the OS trusts, such as through GPG-signed packages) that it
implicitly trusts. The user gets the security without any extra effort on their end.

On the other hand, with PGP, any user who wants to be secure but doesn't use GPG would have to verify the
identity of whoever signed the Cabal GPG key, and most non-Linux operating systems don't come with a list
of trusted GPG keys. So how do they get them without using HTTPS (since if you use HTTPS to figure out what
keys you trust, your scheme is no more secure than HTTPS)?
Jeremy Shaw | 28 Oct 21:42 2012

Re: [Security] Put haskell.org on https

On Sun, Oct 28, 2012 at 1:45 PM, Patrick Hurst
<phurst <at> amateurtopologist.com> wrote:

> On the other hand, with PGP, any user who wants to be secure but doesn't use GPG would have to verify the
identity of whoever signed the Cabal GPG key, and most non-Linux operating systems don't come with a list
of trusted GPG keys. So how do they get them without using HTTPS (since if you use HTTPS to figure out what
keys you trust, your scheme is no more secure than HTTPS)?

Well.. my dumb idea is that you include some trusted GPG keys with the
cabal client itself? Obviously you must be getting cabal-install from
a trusted source, or all the HTTPS in the world can't help you?

I'm sure this idea is wrong somehow, but someone had to mention it ;)

- jeremy
Henk-Jan van Tuyl | 28 Oct 19:45 2012
Picon

Re: [Security] Put haskell.org on https

On Sun, 28 Oct 2012 13:38:46 +0100, Petr P <petr.mvd <at> gmail.com> wrote:

>   Erik,
>
> does cabal need to do any authenticated stuff? For downloading
> packages I think HTTP is perfectly fine. So we could have HTTP for
> cabal download only and HTTPS for everything else.
>
>   Best regards,
>   Petr Pudlak
>

Without checking a certificate, it could be that you are connected to a  
false server; without encryption, the package could be replaced by another  
package (a man-in-the-middle attack).

Regards,
Henk-Jan van Tuyl

--

-- 
http://Van.Tuyl.eu/
http://members.chello.nl/hjgtuyl/tourdemonad.html
Haskell programming
--

Gmane