[Haskell-cafe] ANNOUNCE: secure-sockets version 1.0
Thomas DuBuisson
thomas.dubuisson at gmail.com
Mon Sep 6 15:45:47 EDT 2010
David said:
> I'd be interested with breaking the dependency on OpenSSL, for various
> reasons:
> [snip]
Can't say I'm surprised by these. Its unfortunate the situation
hasn't improved. I recall a half decent O'Reilly book on OpenSSL but
if you weren't using it as a cookbook (and wanted a 1-off solution)
then it wasn't so useful.
> So, a replacement would need to be a complete replacement for TLS. I did in
> fact try to start with this, implementing my own simpler TLS-ish protocol,
> using crypto primitives directly. It took a group of crypto experts about 5
> minutes to punch 3 different holes in the protocol
You could have gone to Hackage and checked your protocols correctness
using CPSA, not that the side-channel attacks would be discovered by
such a tool.
> That said, with the Haskell Crypto API stabilizing, I've been toying with
> the project of a pure Haskell TLS implementation, which would solve the
> annoying dependency issue while hanging on to a hardened protocol.
I'm releasing crypto-api-0.1 on Tuesday so if you have any last minute
comments now is the time!
> However,
> this is also far from a simple endeavor, especially if the implementation is
> to be hardened against side-channel attacks, which I'm not even sure is
> possible in Haskell.
Well, to determine if that's possible we'd need a definition of
side-channel attack which is counter to many definitions of
side-channel ;-). Perhaps a list of common ones OpenSSL thinks it
addresses would give us a good start.
If you start on such a task (Haskell TLS) then perhaps you could drop
a line to l at h.o or c at h.o?
Cheers,
Thomas
More information about the Haskell-Cafe
mailing list