[Haskell-cafe] [Security] Put haskell.org on https
iusty at k1024.org
Sun Oct 28 16:39:10 CET 2012
On Sun, Oct 28, 2012 at 04:26:07PM +0100, Changaco wrote:
> On Sun, 28 Oct 2012 14:45:02 +0100 Iustin Pop wrote:
> > Kindly disagree here. Ensuring that packages are downloaded
> > safely/correctly without MITM attacks is also important. Even if as an
> > option.
> HTTPS doesn't fully protect against a MITM since there is no shared
> secret between client and server prior to the connection.
> The MITM can use a self-signed certificate, or possibly a certificate
> signed by a compromised CA.
Sure, but I was talking about a proper certificate signed by a
well-known registrar, at which point the https client would default to
verify the signature against the system certificate store.
Yes, I'm fully aware that this is not fully safe, but I hope you agree
that https with a proper certificate is much better than plain http.
More information about the Haskell-Cafe