Re: [Haskell-cafe] [Security] Put haskell.org on https

Thanks Iavor et al. I agree. I'll see what we can do. We have budget for this so hopefully it will be a simple matter of finding people to implement the change. Jason On Fri, Nov 2, 2012 at 10:34 AM, Iavor Diatchki wrote: > Hello, > > I think that getting a certificate is a good idea. I think

Re: [Haskell-cafe] [Security] Put haskell.org on https

Hello, I think that getting a certificate is a good idea. I think this could probably be arranged by the haskell.org committee, which even has a budget for things like that, I believe. I'm cc-ing Jason, who's on the committee and might have more input on what's the best way to proceed. Thanks f

Re: [Haskell-cafe] [Security] Put haskell.org on https

Who is the webmaster for haskell.org? Presumably they will be required in the process of installing the certificate. As far as obtaining goes, one can obtain a free certificate from StartSSL - see https://www.startssl.com There are other CAs, but if nobody has any strong preferences, I recommend g

Re: [Haskell-cafe] [Security] Put haskell.org on https

So how do we go forward about getting the SSL certificate and installing it? On 29/10/12 01:06, Patrick Mylund Nielsen wrote: > Sure. No matter what's done in Cabal, the clients for everything else > will still be mainly browsers. > > On Mon, Oct 29, 2012 at 12:59 AM, Niklas Hambüchen

Re: [Haskell-cafe] [Security] Put haskell.org on https

Sure. No matter what's done in Cabal, the clients for everything else will still be mainly browsers. On Mon, Oct 29, 2012 at 12:59 AM, Niklas Hambüchen wrote: > No matter what we do with cabal, it would be great if I could soon point > my browser at https://haskell.org *anyway*. > > On 28/10/12

Re: [Haskell-cafe] [Security] Put haskell.org on https

No matter what we do with cabal, it would be great if I could soon point my browser at https://haskell.org *anyway*. On 28/10/12 23:55, Patrick Mylund Nielsen wrote: > Of course, as long as Cabal itself is distributed through this same > https-enabled site, you have the same PKI-backed security as

Re: [Haskell-cafe] [Security] Put haskell.org on https

Of course, as long as Cabal itself is distributed through this same https-enabled site, you have the same PKI-backed security as just about any major website. This model has problems, yes, but it's good enough, and it's easy to use. If you really want to improve it (without impacting usability), ha

Re: [Haskell-cafe] [Security] Put haskell.org on https

PGP tends to present many usability issues, and in this case it would make more sense/provide a clearer win if there were many different, semi-untrusted hackage mirrors. Just enable HTTPS and have Cabal validate the server certificate against a CA pool of one. PKI/trusting obscure certificate autho

Re: [Haskell-cafe] [Security] Put haskell.org on https

On Sun, 28 Oct 2012 17:07:24 -0400 Patrick Hurst wrote: > How do you get a copy of cabal while making sure that somebody hasn't MITMed > you and replaced the PGP key? Ultimately it is a DNS problem. To establish a secure connection with haskell.org you'd have to get the certificate from the DNS,

Re: [Haskell-cafe] [Security] Put haskell.org on https

So why not use HTTPS? Michael Walker October 28, 2012 5:43 PM You don't. Somewhere, you just have to trust that nothing went awry.The best thing to do is just to make it as difficult as possible for anattacker to be successful - make the PGP keys widely known and have al

Re: [Haskell-cafe] [Security] Put haskell.org on https

> How do you get a copy of cabal while making sure that somebody hasn't > MITMed you and replaced the PGP key? You don't. Somewhere, you just have to trust that nothing went awry. The best thing to do is just to make it as difficult as possible for an attacker to be successful - make the PGP keys

Re: [Haskell-cafe] [Security] Put haskell.org on https

Do it at home. If you're at an internet cafe, though, it'd be nice if you could trust cabal packages. - Clark On Sun, Oct 28, 2012 at 5:07 PM, Patrick Hurst wrote: > > On Oct 28, 2012, at 4:38 PM, Changaco wrote: > > > On Sun, 28 Oct 2012 17:46:10 +0100 Petr P wrote: > >> In this particul

Re: [Haskell-cafe] [Security] Put haskell.org on https

On Oct 28, 2012, at 4:38 PM, Changaco wrote: > On Sun, 28 Oct 2012 17:46:10 +0100 Petr P wrote: >> In this particular case, cabal can have the public part of the >> certificate built-in (as it has the web address built in). So once one >> has a verified installation of cabal, it can verify the s

Re: [Haskell-cafe] [Security] Put haskell.org on https

On Sun, Oct 28, 2012 at 1:45 PM, Patrick Hurst wrote: > On the other hand, with PGP, any user who wants to be secure but doesn't use > GPG would have to verify the identity of whoever signed the Cabal GPG key, > and most non-Linux operating systems don't come with a list of trusted GPG > keys.

Re: [Haskell-cafe] [Security] Put haskell.org on https

On Sun, 28 Oct 2012 17:46:10 +0100 Petr P wrote: > In this particular case, cabal can have the public part of the > certificate built-in (as it has the web address built in). So once one > has a verified installation of cabal, it can verify the server > packages without being susceptible to MitM at

Re: [Haskell-cafe] [Security] Put haskell.org on https

On Sun, 28 Oct 2012 13:38:46 +0100, Petr P wrote: Erik, does cabal need to do any authenticated stuff? For downloading packages I think HTTP is perfectly fine. So we could have HTTP for cabal download only and HTTPS for everything else. Best regards, Petr Pudlak Without checking a ce

Re: [Haskell-cafe] [Security] Put haskell.org on https

On Oct 28, 2012, at 12:10 PM, Changaco wrote: > On Sun, 28 Oct 2012 16:39:10 +0100 Iustin Pop wrote: >> Sure, but I was talking about a proper certificate signed by a >> well-known registrar, at which point the https client would default to >> verify the signature against the system certificate

Re: [Haskell-cafe] [Security] Put haskell.org on https

On Sun, Oct 28, 2012 at 05:10:39PM +0100, Changaco wrote: > On Sun, 28 Oct 2012 16:39:10 +0100 Iustin Pop wrote: > > Sure, but I was talking about a proper certificate signed by a > > well-known registrar, at which point the https client would default to > > verify the signature against the system

Re: [Haskell-cafe] [Security] Put haskell.org on https

2012/10/28 Changaco : > It doesn't matter what kind of certificate the server uses since the > client generally doesn't know about it, especially on first connection. > Some programs remember the certificate between uses and inform you > when it changes, but that's not perfect either. In this part

Re: [Haskell-cafe] [Security] Put haskell.org on https

On Sun, 28 Oct 2012 16:39:10 +0100 Iustin Pop wrote: > Sure, but I was talking about a proper certificate signed by a > well-known registrar, at which point the https client would default to > verify the signature against the system certificate store. It doesn't matter what kind of certificate the

Re: [Haskell-cafe] [Security] Put haskell.org on https

On Sun, Oct 28, 2012 at 04:26:07PM +0100, Changaco wrote: > On Sun, 28 Oct 2012 14:45:02 +0100 Iustin Pop wrote: > > Kindly disagree here. Ensuring that packages are downloaded > > safely/correctly without MITM attacks is also important. Even if as an > > option. > > HTTPS doesn't fully protect ag

Re: [Haskell-cafe] [Security] Put haskell.org on https

On Sun, 28 Oct 2012 14:45:02 +0100 Iustin Pop wrote: > Kindly disagree here. Ensuring that packages are downloaded > safely/correctly without MITM attacks is also important. Even if as an > option. HTTPS doesn't fully protect against a MITM since there is no shared secret between client and server

Re: [Haskell-cafe] [Security] Put haskell.org on https

On Sun, Oct 28, 2012 at 03:53:04PM +0100, Petr P wrote: > 2012/10/28 Iustin Pop : > > On Sun, Oct 28, 2012 at 01:38:46PM +0100, Petr P wrote: > >> does cabal need to do any authenticated stuff? For downloading > >> packages I think HTTP is perfectly fine. So we could have HTTP for > >> cabal downlo

Re: [Haskell-cafe] [Security] Put haskell.org on https

2012/10/28 Iustin Pop : > On Sun, Oct 28, 2012 at 01:38:46PM +0100, Petr P wrote: >> does cabal need to do any authenticated stuff? For downloading >> packages I think HTTP is perfectly fine. So we could have HTTP for >> cabal download only and HTTPS for everything else. > > Kindly disagree here. E

Re: [Haskell-cafe] [Security] Put haskell.org on https

On Sun, Oct 28, 2012 at 01:38:46PM +0100, Petr P wrote: > Erik, > > does cabal need to do any authenticated stuff? For downloading > packages I think HTTP is perfectly fine. So we could have HTTP for > cabal download only and HTTPS for everything else. Kindly disagree here. Ensuring that packag

Re: [Haskell-cafe] [Security] Put haskell.org on https

I think it is only needed for 'cabal upload'. So if you upload via the web only, you'd never send your password over plain HTTP. Erik On Sun, Oct 28, 2012 at 1:38 PM, Petr P wrote: > Erik, > > does cabal need to do any authenticated stuff? For downloading > packages I think HTTP is perfectly f

Re: [Haskell-cafe] [Security] Put haskell.org on https

Erik, does cabal need to do any authenticated stuff? For downloading packages I think HTTP is perfectly fine. So we could have HTTP for cabal download only and HTTPS for everything else. Best regards, Petr Pudlak 2012/10/28 Erik Hesselink : > While I would love to have hackage available (o

Re: [Haskell-cafe] [Security] Put haskell.org on https

While I would love to have hackage available (or even forced) over https, I think the biggest reason it currently isn't, is that cabal would then also need https support. This means the HTTP library would need https support, which I've heard will be hard to implement cross-platform (read: on Window

Re: [Haskell-cafe] [Security] Put haskell.org on https

At Sun, 28 Oct 2012 14:59:00 +0400, Dmitry Vyal wrote: > Does hackage at least store the logs of packages uploads? What's the reason or > such a security model? I guess it was appropriate in the past when hackage was > an experimental service, but now it's a standard way of distributing Haskell > c

Re: [Haskell-cafe] [Security] Put haskell.org on https

On 10/28/2012 03:20 AM, Niklas Hambüchen wrote: - abuse your hackage account and override arbitrary packages (especially since hackage allows everybody to override everything) Does hackage at least store the logs of packages uploads? What's the reason or such a security model? I guess it was

Re: [Haskell-cafe] [Security] Put haskell.org on https

I support this proposal too. More reasons to use HTTPS can be found at https://www.eff.org/https-everywhere/deploying-https On Sun, Oct 28, 2012 at 8:51 AM, Petr P wrote: > 2012/10/28 Francesco Mazzoli : > > At Sun, 28 Oct 2012 00:20:16 +0100, > > Niklas Hambüchen wrote: > >> (I have mentioned t

Re: [Haskell-cafe] [Security] Put haskell.org on https

2012/10/28 Francesco Mazzoli : > At Sun, 28 Oct 2012 00:20:16 +0100, > Niklas Hambüchen wrote: >> (I have mentioned this several times on #haskell, but nothing has >> happened so far.) >> >> Are you aware that all haskell.org websites (hackage, HaskellWiki, ghc >> trac) allow unencrypted http conne

Re: [Haskell-cafe] [Security] Put haskell.org on https

At Sun, 28 Oct 2012 00:20:16 +0100, Niklas Hambüchen wrote: > (I have mentioned this several times on #haskell, but nothing has > happened so far.) > > Are you aware that all haskell.org websites (hackage, HaskellWiki, ghc > trac) allow unencrypted http connections only? > > This means that every

Re: [Haskell-cafe] [Security] Put haskell.org on https

+1 Pedro On Sun, Oct 28, 2012 at 12:20 AM, Niklas Hambüchen wrote: > (I have mentioned this several times on #haskell, but nothing has > happened so far.) > > Are you aware that all haskell.org websites (hackage, HaskellWiki, ghc > trac) allow unencrypted http connections only? > > This means

[Haskell-cafe] [Security] Put haskell.org on https

(I have mentioned this several times on #haskell, but nothing has happened so far.) Are you aware that all haskell.org websites (hackage, HaskellWiki, ghc trac) allow unencrypted http connections only? This means that everyone in the same Wifi can potentially - read you passwords for all of thes