[Haskell-cafe] [Security] Put haskell.org on https
Petr P
petr.mvd at gmail.com
Sun Oct 28 17:46:10 CET 2012
2012/10/28 Changaco <changaco at changaco.net>:
> It doesn't matter what kind of certificate the server uses since the
> client generally doesn't know about it, especially on first connection.
> Some programs remember the certificate between uses and inform you
> when it changes, but that's not perfect either.
In this particular case, cabal can have the public part of the
certificate built-in (as it has the web address built in). So once one
has a verified installation of cabal, it can verify the server
packages without being susceptible to MitM attack (no matter if
they're PGP signed or X.509 signed).
Best regards,
Petr Pudlak
More information about the Haskell-Cafe
mailing list