[Haskell-cafe] [Security] Put haskell.org on https
hesselink at gmail.com
Sun Oct 28 13:42:30 CET 2012
I think it is only needed for 'cabal upload'. So if you upload via the
web only, you'd never send your password over plain HTTP.
On Sun, Oct 28, 2012 at 1:38 PM, Petr P <petr.mvd at gmail.com> wrote:
> does cabal need to do any authenticated stuff? For downloading
> packages I think HTTP is perfectly fine. So we could have HTTP for
> cabal download only and HTTPS for everything else.
> Best regards,
> Petr Pudlak
> 2012/10/28 Erik Hesselink <hesselink at gmail.com>:
>> While I would love to have hackage available (or even forced) over
>> https, I think the biggest reason it currently isn't, is that cabal
>> would then also need https support. This means the HTTP library would
>> need https support, which I've heard will be hard to implement
>> cross-platform (read: on Windows).
>> However, I guess providing https as an option is still a huge step
>> forwards compared to the current situation.
>> On Sun, Oct 28, 2012 at 1:20 AM, Niklas Hambüchen <mail at nh2.me> wrote:
>>> (I have mentioned this several times on #haskell, but nothing has
>>> happened so far.)
>>> Are you aware that all haskell.org websites (hackage, HaskellWiki, ghc
>>> trac) allow unencrypted http connections only?
>>> This means that everyone in the same Wifi can potentially
>>> - read you passwords for all of these services
>>> - abuse your hackage account and override arbitrary packages
>>> (especially since hackage allows everybody to override everything)
>>> I propose we get an SSL certificate for haskell.org.
>>> I also offer to donate that SSL certificate (or directly create it using
>>> my Startcom account).
>>> Haskell-Cafe mailing list
>>> Haskell-Cafe at haskell.org
>> Haskell-Cafe mailing list
>> Haskell-Cafe at haskell.org
More information about the Haskell-Cafe