Re: [Haskell-cafe] [Security] Put haskell.org on https
Who is the webmaster for haskell.org? Presumably they will be required in the process of installing the certificate. As far as obtaining goes, one can obtain a free certificate from StartSSL - see https://www.startssl.com There are other CAs, but if nobody has any strong preferences, I recommend going with them. On Tue, Oct 30, 2012 at 8:52 PM, Niklas Hambüchen m...@nh2.me wrote: So how do we go forward about getting the SSL certificate and installing it? On 29/10/12 01:06, Patrick Mylund Nielsen wrote: Sure. No matter what's done in Cabal, the clients for everything else will still be mainly browsers. On Mon, Oct 29, 2012 at 12:59 AM, Niklas Hambüchen m...@nh2.me mailto:m...@nh2.me wrote: No matter what we do with cabal, it would be great if I could soon point my browser at https://haskell.org *anyway*. On 28/10/12 23:55, Patrick Mylund Nielsen wrote: Of course, as long as Cabal itself is distributed through this same https-enabled site, you have the same PKI-backed security as just about any major website. This model has problems, yes, but it's good enough, and it's easy to use. If you really want to improve it (without impacting usability), have Google/the browser vendors pin the public cert for haskell.org http://haskell.org http://haskell.org. On Mon, Oct 29, 2012 at 12:45 AM, Patrick Mylund Nielsen hask...@patrickmylund.com mailto:hask...@patrickmylund.com mailto:hask...@patrickmylund.com mailto:hask...@patrickmylund.com wrote: PGP tends to present many usability issues, and in this case it would make more sense/provide a clearer win if there were many different, semi-untrusted hackage mirrors. Just enable HTTPS and have Cabal validate the server certificate against a CA pool of one. PKI/trusting obscure certificate authorities in Egypt and Syria is the biggest concern here, not somebody MITMing your initial Cabal installation (which in a lot of cases happens through apt-get or yum, anyway.) On Mon, Oct 29, 2012 at 12:34 AM, Changaco chang...@changaco.net mailto:chang...@changaco.net mailto:chang...@changaco.net mailto:chang...@changaco.net wrote: On Sun, 28 Oct 2012 17:07:24 -0400 Patrick Hurst wrote: How do you get a copy of cabal while making sure that somebody hasn't MITMed you and replaced the PGP key? Ultimately it is a DNS problem. To establish a secure connection with haskell.org http://haskell.org http://haskell.org you'd have to get the certificate from the DNS, but that technology is not ready yet, so all you can do is check the key against as many sources as possible like Michael Walker said. On Sun, 28 Oct 2012 17:46:06 -0400 Patrick Hurst wrote: So why not use HTTPS? Because it doesn't solve the problem. ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org mailto:Haskell-Cafe@haskell.org mailto:Haskell-Cafe@haskell.org mailto:Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org mailto:Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org mailto:Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
Re: [Haskell-cafe] [Security] Put haskell.org on https
Hello, I think that getting a certificate is a good idea. I think this could probably be arranged by the haskell.org committee, which even has a budget for things like that, I believe. I'm cc-ing Jason, who's on the committee and might have more input on what's the best way to proceed. Thanks for bringing this up! -Iavor On Fri, Nov 2, 2012 at 5:14 AM, Ramana Kumar ramana.ku...@cl.cam.ac.ukwrote: Who is the webmaster for haskell.org? Presumably they will be required in the process of installing the certificate. As far as obtaining goes, one can obtain a free certificate from StartSSL - see https://www.startssl.com There are other CAs, but if nobody has any strong preferences, I recommend going with them. On Tue, Oct 30, 2012 at 8:52 PM, Niklas Hambüchen m...@nh2.me wrote: So how do we go forward about getting the SSL certificate and installing it? On 29/10/12 01:06, Patrick Mylund Nielsen wrote: Sure. No matter what's done in Cabal, the clients for everything else will still be mainly browsers. On Mon, Oct 29, 2012 at 12:59 AM, Niklas Hambüchen m...@nh2.me mailto:m...@nh2.me wrote: No matter what we do with cabal, it would be great if I could soon point my browser at https://haskell.org *anyway*. On 28/10/12 23:55, Patrick Mylund Nielsen wrote: Of course, as long as Cabal itself is distributed through this same https-enabled site, you have the same PKI-backed security as just about any major website. This model has problems, yes, but it's good enough, and it's easy to use. If you really want to improve it (without impacting usability), have Google/the browser vendors pin the public cert for haskell.org http://haskell.org http://haskell.org. On Mon, Oct 29, 2012 at 12:45 AM, Patrick Mylund Nielsen hask...@patrickmylund.com mailto:hask...@patrickmylund.com mailto:hask...@patrickmylund.com mailto:hask...@patrickmylund.com wrote: PGP tends to present many usability issues, and in this case it would make more sense/provide a clearer win if there were many different, semi-untrusted hackage mirrors. Just enable HTTPS and have Cabal validate the server certificate against a CA pool of one. PKI/trusting obscure certificate authorities in Egypt and Syria is the biggest concern here, not somebody MITMing your initial Cabal installation (which in a lot of cases happens through apt-get or yum, anyway.) On Mon, Oct 29, 2012 at 12:34 AM, Changaco chang...@changaco.net mailto:chang...@changaco.net mailto:chang...@changaco.net mailto:chang...@changaco.net wrote: On Sun, 28 Oct 2012 17:07:24 -0400 Patrick Hurst wrote: How do you get a copy of cabal while making sure that somebody hasn't MITMed you and replaced the PGP key? Ultimately it is a DNS problem. To establish a secure connection with haskell.org http://haskell.org http://haskell.org you'd have to get the certificate from the DNS, but that technology is not ready yet, so all you can do is check the key against as many sources as possible like Michael Walker said. On Sun, 28 Oct 2012 17:46:06 -0400 Patrick Hurst wrote: So why not use HTTPS? Because it doesn't solve the problem. ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org mailto:Haskell-Cafe@haskell.org mailto:Haskell-Cafe@haskell.org mailto:Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org mailto:Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org mailto:Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
Re: [Haskell-cafe] [Security] Put haskell.org on https
Thanks Iavor et al. I agree. I'll see what we can do. We have budget for this so hopefully it will be a simple matter of finding people to implement the change. Jason On Fri, Nov 2, 2012 at 10:34 AM, Iavor Diatchki iavor.diatc...@gmail.comwrote: Hello, I think that getting a certificate is a good idea. I think this could probably be arranged by the haskell.org committee, which even has a budget for things like that, I believe. I'm cc-ing Jason, who's on the committee and might have more input on what's the best way to proceed. Thanks for bringing this up! -Iavor On Fri, Nov 2, 2012 at 5:14 AM, Ramana Kumar ramana.ku...@cl.cam.ac.ukwrote: Who is the webmaster for haskell.org? Presumably they will be required in the process of installing the certificate. As far as obtaining goes, one can obtain a free certificate from StartSSL - see https://www.startssl.com There are other CAs, but if nobody has any strong preferences, I recommend going with them. On Tue, Oct 30, 2012 at 8:52 PM, Niklas Hambüchen m...@nh2.me wrote: So how do we go forward about getting the SSL certificate and installing it? On 29/10/12 01:06, Patrick Mylund Nielsen wrote: Sure. No matter what's done in Cabal, the clients for everything else will still be mainly browsers. On Mon, Oct 29, 2012 at 12:59 AM, Niklas Hambüchen m...@nh2.me mailto:m...@nh2.me wrote: No matter what we do with cabal, it would be great if I could soon point my browser at https://haskell.org *anyway*. On 28/10/12 23:55, Patrick Mylund Nielsen wrote: Of course, as long as Cabal itself is distributed through this same https-enabled site, you have the same PKI-backed security as just about any major website. This model has problems, yes, but it's good enough, and it's easy to use. If you really want to improve it (without impacting usability), have Google/the browser vendors pin the public cert for haskell.org http://haskell.org http://haskell.org. On Mon, Oct 29, 2012 at 12:45 AM, Patrick Mylund Nielsen hask...@patrickmylund.com mailto:hask...@patrickmylund.com mailto:hask...@patrickmylund.com mailto:hask...@patrickmylund.com wrote: PGP tends to present many usability issues, and in this case it would make more sense/provide a clearer win if there were many different, semi-untrusted hackage mirrors. Just enable HTTPS and have Cabal validate the server certificate against a CA pool of one. PKI/trusting obscure certificate authorities in Egypt and Syria is the biggest concern here, not somebody MITMing your initial Cabal installation (which in a lot of cases happens through apt-get or yum, anyway.) On Mon, Oct 29, 2012 at 12:34 AM, Changaco chang...@changaco.net mailto:chang...@changaco.net mailto:chang...@changaco.net mailto:chang...@changaco.net wrote: On Sun, 28 Oct 2012 17:07:24 -0400 Patrick Hurst wrote: How do you get a copy of cabal while making sure that somebody hasn't MITMed you and replaced the PGP key? Ultimately it is a DNS problem. To establish a secure connection with haskell.org http://haskell.org http://haskell.org you'd have to get the certificate from the DNS, but that technology is not ready yet, so all you can do is check the key against as many sources as possible like Michael Walker said. On Sun, 28 Oct 2012 17:46:06 -0400 Patrick Hurst wrote: So why not use HTTPS? Because it doesn't solve the problem. ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org mailto: Haskell-Cafe@haskell.org mailto:Haskell-Cafe@haskell.org mailto:Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org mailto:Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org mailto:Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
Re: [Haskell-cafe] [Security] Put haskell.org on https
So how do we go forward about getting the SSL certificate and installing it? On 29/10/12 01:06, Patrick Mylund Nielsen wrote: Sure. No matter what's done in Cabal, the clients for everything else will still be mainly browsers. On Mon, Oct 29, 2012 at 12:59 AM, Niklas Hambüchen m...@nh2.me mailto:m...@nh2.me wrote: No matter what we do with cabal, it would be great if I could soon point my browser at https://haskell.org *anyway*. On 28/10/12 23:55, Patrick Mylund Nielsen wrote: Of course, as long as Cabal itself is distributed through this same https-enabled site, you have the same PKI-backed security as just about any major website. This model has problems, yes, but it's good enough, and it's easy to use. If you really want to improve it (without impacting usability), have Google/the browser vendors pin the public cert for haskell.org http://haskell.org http://haskell.org. On Mon, Oct 29, 2012 at 12:45 AM, Patrick Mylund Nielsen hask...@patrickmylund.com mailto:hask...@patrickmylund.com mailto:hask...@patrickmylund.com mailto:hask...@patrickmylund.com wrote: PGP tends to present many usability issues, and in this case it would make more sense/provide a clearer win if there were many different, semi-untrusted hackage mirrors. Just enable HTTPS and have Cabal validate the server certificate against a CA pool of one. PKI/trusting obscure certificate authorities in Egypt and Syria is the biggest concern here, not somebody MITMing your initial Cabal installation (which in a lot of cases happens through apt-get or yum, anyway.) On Mon, Oct 29, 2012 at 12:34 AM, Changaco chang...@changaco.net mailto:chang...@changaco.net mailto:chang...@changaco.net mailto:chang...@changaco.net wrote: On Sun, 28 Oct 2012 17:07:24 -0400 Patrick Hurst wrote: How do you get a copy of cabal while making sure that somebody hasn't MITMed you and replaced the PGP key? Ultimately it is a DNS problem. To establish a secure connection with haskell.org http://haskell.org http://haskell.org you'd have to get the certificate from the DNS, but that technology is not ready yet, so all you can do is check the key against as many sources as possible like Michael Walker said. On Sun, 28 Oct 2012 17:46:06 -0400 Patrick Hurst wrote: So why not use HTTPS? Because it doesn't solve the problem. ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org mailto:Haskell-Cafe@haskell.org mailto:Haskell-Cafe@haskell.org mailto:Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org mailto:Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org mailto:Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
Re: [Haskell-cafe] [Security] Put haskell.org on https
+1 Pedro On Sun, Oct 28, 2012 at 12:20 AM, Niklas Hambüchen m...@nh2.me wrote: (I have mentioned this several times on #haskell, but nothing has happened so far.) Are you aware that all haskell.org websites (hackage, HaskellWiki, ghc trac) allow unencrypted http connections only? This means that everyone in the same Wifi can potentially - read you passwords for all of these services - abuse your hackage account and override arbitrary packages (especially since hackage allows everybody to override everything) I propose we get an SSL certificate for haskell.org. I also offer to donate that SSL certificate (or directly create it using my Startcom account). Niklas ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
Re: [Haskell-cafe] [Security] Put haskell.org on https
At Sun, 28 Oct 2012 00:20:16 +0100, Niklas Hambüchen wrote: (I have mentioned this several times on #haskell, but nothing has happened so far.) Are you aware that all haskell.org websites (hackage, HaskellWiki, ghc trac) allow unencrypted http connections only? This means that everyone in the same Wifi can potentially - read you passwords for all of these services - abuse your hackage account and override arbitrary packages (especially since hackage allows everybody to override everything) I propose we get an SSL certificate for haskell.org. I also offer to donate that SSL certificate (or directly create it using my Startcom account). Agreed, I can chip in - but I think a certificate is pretty cheap nowadays :). -- Francesco ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
Re: [Haskell-cafe] [Security] Put haskell.org on https
2012/10/28 Francesco Mazzoli f...@mazzo.li: At Sun, 28 Oct 2012 00:20:16 +0100, Niklas Hambüchen wrote: (I have mentioned this several times on #haskell, but nothing has happened so far.) Are you aware that all haskell.org websites (hackage, HaskellWiki, ghc trac) allow unencrypted http connections only? This means that everyone in the same Wifi can potentially - read you passwords for all of these services - abuse your hackage account and override arbitrary packages (especially since hackage allows everybody to override everything) I propose we get an SSL certificate for haskell.org. I also offer to donate that SSL certificate (or directly create it using my Startcom account). Agreed, I can chip in - but I think a certificate is pretty cheap nowadays :). Good idea, I completely support it. Major sites like Google, Github, BitBucket, etc. are https only nowadays. Petr Pudlak ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
Re: [Haskell-cafe] [Security] Put haskell.org on https
I support this proposal too. More reasons to use HTTPS can be found at https://www.eff.org/https-everywhere/deploying-https On Sun, Oct 28, 2012 at 8:51 AM, Petr P petr@gmail.com wrote: 2012/10/28 Francesco Mazzoli f...@mazzo.li: At Sun, 28 Oct 2012 00:20:16 +0100, Niklas Hambüchen wrote: (I have mentioned this several times on #haskell, but nothing has happened so far.) Are you aware that all haskell.org websites (hackage, HaskellWiki, ghc trac) allow unencrypted http connections only? This means that everyone in the same Wifi can potentially - read you passwords for all of these services - abuse your hackage account and override arbitrary packages (especially since hackage allows everybody to override everything) I propose we get an SSL certificate for haskell.org. I also offer to donate that SSL certificate (or directly create it using my Startcom account). Agreed, I can chip in - but I think a certificate is pretty cheap nowadays :). Good idea, I completely support it. Major sites like Google, Github, BitBucket, etc. are https only nowadays. Petr Pudlak ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
Re: [Haskell-cafe] [Security] Put haskell.org on https
On 10/28/2012 03:20 AM, Niklas Hambüchen wrote: - abuse your hackage account and override arbitrary packages (especially since hackage allows everybody to override everything) Does hackage at least store the logs of packages uploads? What's the reason or such a security model? I guess it was appropriate in the past when hackage was an experimental service, but now it's a standard way of distributing Haskell code. If anyone can update any package, we are waiting for the disaster. I have some haskell code I wrote myself running as root and these thoughts make me shiver. Https is a must-have in current situation, but it's only part of a solution. ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
Re: [Haskell-cafe] [Security] Put haskell.org on https
At Sun, 28 Oct 2012 14:59:00 +0400, Dmitry Vyal wrote: Does hackage at least store the logs of packages uploads? What's the reason or such a security model? I guess it was appropriate in the past when hackage was an experimental service, but now it's a standard way of distributing Haskell code. If anyone can update any package, we are waiting for the disaster. I have some haskell code I wrote myself running as root and these thoughts make me shiver. There is no good reason for it to be like that, it is truly bad. Hackage2 has been in the works for a while and will fix this problem. More information here: http://hackage.haskell.org/trac/hackage/wiki/HackageDB/2.0. ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
Re: [Haskell-cafe] [Security] Put haskell.org on https
While I would love to have hackage available (or even forced) over https, I think the biggest reason it currently isn't, is that cabal would then also need https support. This means the HTTP library would need https support, which I've heard will be hard to implement cross-platform (read: on Windows). However, I guess providing https as an option is still a huge step forwards compared to the current situation. Erik On Sun, Oct 28, 2012 at 1:20 AM, Niklas Hambüchen m...@nh2.me wrote: (I have mentioned this several times on #haskell, but nothing has happened so far.) Are you aware that all haskell.org websites (hackage, HaskellWiki, ghc trac) allow unencrypted http connections only? This means that everyone in the same Wifi can potentially - read you passwords for all of these services - abuse your hackage account and override arbitrary packages (especially since hackage allows everybody to override everything) I propose we get an SSL certificate for haskell.org. I also offer to donate that SSL certificate (or directly create it using my Startcom account). Niklas ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
Re: [Haskell-cafe] [Security] Put haskell.org on https
Erik, does cabal need to do any authenticated stuff? For downloading packages I think HTTP is perfectly fine. So we could have HTTP for cabal download only and HTTPS for everything else. Best regards, Petr Pudlak 2012/10/28 Erik Hesselink hessel...@gmail.com: While I would love to have hackage available (or even forced) over https, I think the biggest reason it currently isn't, is that cabal would then also need https support. This means the HTTP library would need https support, which I've heard will be hard to implement cross-platform (read: on Windows). However, I guess providing https as an option is still a huge step forwards compared to the current situation. Erik On Sun, Oct 28, 2012 at 1:20 AM, Niklas Hambüchen m...@nh2.me wrote: (I have mentioned this several times on #haskell, but nothing has happened so far.) Are you aware that all haskell.org websites (hackage, HaskellWiki, ghc trac) allow unencrypted http connections only? This means that everyone in the same Wifi can potentially - read you passwords for all of these services - abuse your hackage account and override arbitrary packages (especially since hackage allows everybody to override everything) I propose we get an SSL certificate for haskell.org. I also offer to donate that SSL certificate (or directly create it using my Startcom account). Niklas ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
Re: [Haskell-cafe] [Security] Put haskell.org on https
I think it is only needed for 'cabal upload'. So if you upload via the web only, you'd never send your password over plain HTTP. Erik On Sun, Oct 28, 2012 at 1:38 PM, Petr P petr@gmail.com wrote: Erik, does cabal need to do any authenticated stuff? For downloading packages I think HTTP is perfectly fine. So we could have HTTP for cabal download only and HTTPS for everything else. Best regards, Petr Pudlak 2012/10/28 Erik Hesselink hessel...@gmail.com: While I would love to have hackage available (or even forced) over https, I think the biggest reason it currently isn't, is that cabal would then also need https support. This means the HTTP library would need https support, which I've heard will be hard to implement cross-platform (read: on Windows). However, I guess providing https as an option is still a huge step forwards compared to the current situation. Erik On Sun, Oct 28, 2012 at 1:20 AM, Niklas Hambüchen m...@nh2.me wrote: (I have mentioned this several times on #haskell, but nothing has happened so far.) Are you aware that all haskell.org websites (hackage, HaskellWiki, ghc trac) allow unencrypted http connections only? This means that everyone in the same Wifi can potentially - read you passwords for all of these services - abuse your hackage account and override arbitrary packages (especially since hackage allows everybody to override everything) I propose we get an SSL certificate for haskell.org. I also offer to donate that SSL certificate (or directly create it using my Startcom account). Niklas ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
Re: [Haskell-cafe] [Security] Put haskell.org on https
On Sun, Oct 28, 2012 at 01:38:46PM +0100, Petr P wrote: Erik, does cabal need to do any authenticated stuff? For downloading packages I think HTTP is perfectly fine. So we could have HTTP for cabal download only and HTTPS for everything else. Kindly disagree here. Ensuring that packages are downloaded safely/correctly without MITM attacks is also important. Even if as an option. regards, iustin ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
Re: [Haskell-cafe] [Security] Put haskell.org on https
2012/10/28 Iustin Pop iu...@k1024.org: On Sun, Oct 28, 2012 at 01:38:46PM +0100, Petr P wrote: does cabal need to do any authenticated stuff? For downloading packages I think HTTP is perfectly fine. So we could have HTTP for cabal download only and HTTPS for everything else. Kindly disagree here. Ensuring that packages are downloaded safely/correctly without MITM attacks is also important. Even if as an option. Good point. But if cabal+https is a problem, this could be solved by other means too, for example by signing the packages. Best regards, Petr Pudlak ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
Re: [Haskell-cafe] [Security] Put haskell.org on https
On Sun, Oct 28, 2012 at 03:53:04PM +0100, Petr P wrote: 2012/10/28 Iustin Pop iu...@k1024.org: On Sun, Oct 28, 2012 at 01:38:46PM +0100, Petr P wrote: does cabal need to do any authenticated stuff? For downloading packages I think HTTP is perfectly fine. So we could have HTTP for cabal download only and HTTPS for everything else. Kindly disagree here. Ensuring that packages are downloaded safely/correctly without MITM attacks is also important. Even if as an option. Good point. But if cabal+https is a problem, this could be solved by other means too, for example by signing the packages. Well, I agree, but then the same could be applied on upload too, like Debian does - instead of user+pw, register a GPG key. iustin ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
Re: [Haskell-cafe] [Security] Put haskell.org on https
On Sun, 28 Oct 2012 14:45:02 +0100 Iustin Pop wrote: Kindly disagree here. Ensuring that packages are downloaded safely/correctly without MITM attacks is also important. Even if as an option. HTTPS doesn't fully protect against a MITM since there is no shared secret between client and server prior to the connection. The MITM can use a self-signed certificate, or possibly a certificate signed by a compromised CA. ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
Re: [Haskell-cafe] [Security] Put haskell.org on https
On Sun, Oct 28, 2012 at 04:26:07PM +0100, Changaco wrote: On Sun, 28 Oct 2012 14:45:02 +0100 Iustin Pop wrote: Kindly disagree here. Ensuring that packages are downloaded safely/correctly without MITM attacks is also important. Even if as an option. HTTPS doesn't fully protect against a MITM since there is no shared secret between client and server prior to the connection. The MITM can use a self-signed certificate, or possibly a certificate signed by a compromised CA. Sure, but I was talking about a proper certificate signed by a well-known registrar, at which point the https client would default to verify the signature against the system certificate store. Yes, I'm fully aware that this is not fully safe, but I hope you agree that https with a proper certificate is much better than plain http. regards, iustin ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
Re: [Haskell-cafe] [Security] Put haskell.org on https
On Sun, 28 Oct 2012 16:39:10 +0100 Iustin Pop wrote: Sure, but I was talking about a proper certificate signed by a well-known registrar, at which point the https client would default to verify the signature against the system certificate store. It doesn't matter what kind of certificate the server uses since the client generally doesn't know about it, especially on first connection. Some programs remember the certificate between uses and inform you when it changes, but that's not perfect either. Yes, I'm fully aware that this is not fully safe, but I hope you agree that https with a proper certificate is much better than plain http. I agree that X.509 provides some protection, but PGP is better. My point was: when possible don't rely on X.509 for security, build a Web of Trust instead. ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
Re: [Haskell-cafe] [Security] Put haskell.org on https
2012/10/28 Changaco chang...@changaco.net: It doesn't matter what kind of certificate the server uses since the client generally doesn't know about it, especially on first connection. Some programs remember the certificate between uses and inform you when it changes, but that's not perfect either. In this particular case, cabal can have the public part of the certificate built-in (as it has the web address built in). So once one has a verified installation of cabal, it can verify the server packages without being susceptible to MitM attack (no matter if they're PGP signed or X.509 signed). Best regards, Petr Pudlak ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
Re: [Haskell-cafe] [Security] Put haskell.org on https
On Sun, Oct 28, 2012 at 05:10:39PM +0100, Changaco wrote: On Sun, 28 Oct 2012 16:39:10 +0100 Iustin Pop wrote: Sure, but I was talking about a proper certificate signed by a well-known registrar, at which point the https client would default to verify the signature against the system certificate store. It doesn't matter what kind of certificate the server uses since the client generally doesn't know about it, especially on first connection. Some programs remember the certificate between uses and inform you when it changes, but that's not perfect either. The client doesn't have to know about it, if it can verify a chain of trust via the system cert store, as I said above. regards, iustin ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
Re: [Haskell-cafe] [Security] Put haskell.org on https
On Oct 28, 2012, at 12:10 PM, Changaco chang...@changaco.net wrote: On Sun, 28 Oct 2012 16:39:10 +0100 Iustin Pop wrote: Sure, but I was talking about a proper certificate signed by a well-known registrar, at which point the https client would default to verify the signature against the system certificate store. It doesn't matter what kind of certificate the server uses since the client generally doesn't know about it, especially on first connection. Some programs remember the certificate between uses and inform you when it changes, but that's not perfect either. Yes, I'm fully aware that this is not fully safe, but I hope you agree that https with a proper certificate is much better than plain http. I agree that X.509 provides some protection, but PGP is better. My point was: when possible don't rely on X.509 for security, build a Web of Trust instead. The reason HTTPS works is that most operating systems will have a list of some number of root CAs (or a way to get them via some other channel that the OS trusts, such as through GPG-signed packages) that it implicitly trusts. The user gets the security without any extra effort on their end. On the other hand, with PGP, any user who wants to be secure but doesn't use GPG would have to verify the identity of whoever signed the Cabal GPG key, and most non-Linux operating systems don't come with a list of trusted GPG keys. So how do they get them without using HTTPS (since if you use HTTPS to figure out what keys you trust, your scheme is no more secure than HTTPS)? ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
Re: [Haskell-cafe] [Security] Put haskell.org on https
On Sun, 28 Oct 2012 13:38:46 +0100, Petr P petr@gmail.com wrote: Erik, does cabal need to do any authenticated stuff? For downloading packages I think HTTP is perfectly fine. So we could have HTTP for cabal download only and HTTPS for everything else. Best regards, Petr Pudlak Without checking a certificate, it could be that you are connected to a false server; without encryption, the package could be replaced by another package (a man-in-the-middle attack). Regards, Henk-Jan van Tuyl -- http://Van.Tuyl.eu/ http://members.chello.nl/hjgtuyl/tourdemonad.html Haskell programming -- ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
Re: [Haskell-cafe] [Security] Put haskell.org on https
On Sun, 28 Oct 2012 17:46:10 +0100 Petr P wrote: In this particular case, cabal can have the public part of the certificate built-in (as it has the web address built in). So once one has a verified installation of cabal, it can verify the server packages without being susceptible to MitM attack (no matter if they're PGP signed or X.509 signed). This is PGP's security model, so it's probably better to use PGP keys. ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
Re: [Haskell-cafe] [Security] Put haskell.org on https
On Sun, Oct 28, 2012 at 1:45 PM, Patrick Hurst phu...@amateurtopologist.com wrote: On the other hand, with PGP, any user who wants to be secure but doesn't use GPG would have to verify the identity of whoever signed the Cabal GPG key, and most non-Linux operating systems don't come with a list of trusted GPG keys. So how do they get them without using HTTPS (since if you use HTTPS to figure out what keys you trust, your scheme is no more secure than HTTPS)? Well.. my dumb idea is that you include some trusted GPG keys with the cabal client itself? Obviously you must be getting cabal-install from a trusted source, or all the HTTPS in the world can't help you? I'm sure this idea is wrong somehow, but someone had to mention it ;) - jeremy ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
Re: [Haskell-cafe] [Security] Put haskell.org on https
On Oct 28, 2012, at 4:38 PM, Changaco chang...@changaco.net wrote: On Sun, 28 Oct 2012 17:46:10 +0100 Petr P wrote: In this particular case, cabal can have the public part of the certificate built-in (as it has the web address built in). So once one has a verified installation of cabal, it can verify the server packages without being susceptible to MitM attack (no matter if they're PGP signed or X.509 signed). This is PGP's security model, so it's probably better to use PGP keys. How do you get a copy of cabal while making sure that somebody hasn't MITMed you and replaced the PGP key? ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
Re: [Haskell-cafe] [Security] Put haskell.org on https
Do it at home. If you're at an internet cafe, though, it'd be nice if you could trust cabal packages. - Clark On Sun, Oct 28, 2012 at 5:07 PM, Patrick Hurst phu...@amateurtopologist.com wrote: On Oct 28, 2012, at 4:38 PM, Changaco chang...@changaco.net wrote: On Sun, 28 Oct 2012 17:46:10 +0100 Petr P wrote: In this particular case, cabal can have the public part of the certificate built-in (as it has the web address built in). So once one has a verified installation of cabal, it can verify the server packages without being susceptible to MitM attack (no matter if they're PGP signed or X.509 signed). This is PGP's security model, so it's probably better to use PGP keys. How do you get a copy of cabal while making sure that somebody hasn't MITMed you and replaced the PGP key? ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
Re: [Haskell-cafe] [Security] Put haskell.org on https
How do you get a copy of cabal while making sure that somebody hasn't MITMed you and replaced the PGP key? You don't. Somewhere, you just have to trust that nothing went awry. The best thing to do is just to make it as difficult as possible for an attacker to be successful - make the PGP keys widely known and have a lot of people sign them. -- Michael Walker (http://www.barrucadu.co.uk) signature.asc Description: PGP signature ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
Re: [Haskell-cafe] [Security] Put haskell.org on https
So why not use HTTPS? Michael Walker October 28, 2012 5:43 PM You don't. Somewhere, you just have to trust that nothing went awry.The best thing to do is just to make it as difficult as possible for anattacker to be successful - make the PGP keys widely known and have alot of people sign them.___Haskell-Cafe mailing listHaskell-Cafe@haskell.orghttp://www.haskell.org/mailman/listinfo/haskell-cafe Changaco October 28, 2012 4:38 PM This is PGP's security model, so it's probably better to use PGP keys.___Haskell-Cafe mailing listHaskell-Cafe@haskell.orghttp://www.haskell.org/mailman/listinfo/haskell-cafe ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
Re: [Haskell-cafe] [Security] Put haskell.org on https
On Sun, 28 Oct 2012 17:07:24 -0400 Patrick Hurst wrote: How do you get a copy of cabal while making sure that somebody hasn't MITMed you and replaced the PGP key? Ultimately it is a DNS problem. To establish a secure connection with haskell.org you'd have to get the certificate from the DNS, but that technology is not ready yet, so all you can do is check the key against as many sources as possible like Michael Walker said. On Sun, 28 Oct 2012 17:46:06 -0400 Patrick Hurst wrote: So why not use HTTPS? Because it doesn't solve the problem. ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
Re: [Haskell-cafe] [Security] Put haskell.org on https
PGP tends to present many usability issues, and in this case it would make more sense/provide a clearer win if there were many different, semi-untrusted hackage mirrors. Just enable HTTPS and have Cabal validate the server certificate against a CA pool of one. PKI/trusting obscure certificate authorities in Egypt and Syria is the biggest concern here, not somebody MITMing your initial Cabal installation (which in a lot of cases happens through apt-get or yum, anyway.) On Mon, Oct 29, 2012 at 12:34 AM, Changaco chang...@changaco.net wrote: On Sun, 28 Oct 2012 17:07:24 -0400 Patrick Hurst wrote: How do you get a copy of cabal while making sure that somebody hasn't MITMed you and replaced the PGP key? Ultimately it is a DNS problem. To establish a secure connection with haskell.org you'd have to get the certificate from the DNS, but that technology is not ready yet, so all you can do is check the key against as many sources as possible like Michael Walker said. On Sun, 28 Oct 2012 17:46:06 -0400 Patrick Hurst wrote: So why not use HTTPS? Because it doesn't solve the problem. ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
Re: [Haskell-cafe] [Security] Put haskell.org on https
Of course, as long as Cabal itself is distributed through this same https-enabled site, you have the same PKI-backed security as just about any major website. This model has problems, yes, but it's good enough, and it's easy to use. If you really want to improve it (without impacting usability), have Google/the browser vendors pin the public cert for haskell.org. On Mon, Oct 29, 2012 at 12:45 AM, Patrick Mylund Nielsen hask...@patrickmylund.com wrote: PGP tends to present many usability issues, and in this case it would make more sense/provide a clearer win if there were many different, semi-untrusted hackage mirrors. Just enable HTTPS and have Cabal validate the server certificate against a CA pool of one. PKI/trusting obscure certificate authorities in Egypt and Syria is the biggest concern here, not somebody MITMing your initial Cabal installation (which in a lot of cases happens through apt-get or yum, anyway.) On Mon, Oct 29, 2012 at 12:34 AM, Changaco chang...@changaco.net wrote: On Sun, 28 Oct 2012 17:07:24 -0400 Patrick Hurst wrote: How do you get a copy of cabal while making sure that somebody hasn't MITMed you and replaced the PGP key? Ultimately it is a DNS problem. To establish a secure connection with haskell.org you'd have to get the certificate from the DNS, but that technology is not ready yet, so all you can do is check the key against as many sources as possible like Michael Walker said. On Sun, 28 Oct 2012 17:46:06 -0400 Patrick Hurst wrote: So why not use HTTPS? Because it doesn't solve the problem. ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
Re: [Haskell-cafe] [Security] Put haskell.org on https
No matter what we do with cabal, it would be great if I could soon point my browser at https://haskell.org *anyway*. On 28/10/12 23:55, Patrick Mylund Nielsen wrote: Of course, as long as Cabal itself is distributed through this same https-enabled site, you have the same PKI-backed security as just about any major website. This model has problems, yes, but it's good enough, and it's easy to use. If you really want to improve it (without impacting usability), have Google/the browser vendors pin the public cert for haskell.org http://haskell.org. On Mon, Oct 29, 2012 at 12:45 AM, Patrick Mylund Nielsen hask...@patrickmylund.com mailto:hask...@patrickmylund.com wrote: PGP tends to present many usability issues, and in this case it would make more sense/provide a clearer win if there were many different, semi-untrusted hackage mirrors. Just enable HTTPS and have Cabal validate the server certificate against a CA pool of one. PKI/trusting obscure certificate authorities in Egypt and Syria is the biggest concern here, not somebody MITMing your initial Cabal installation (which in a lot of cases happens through apt-get or yum, anyway.) On Mon, Oct 29, 2012 at 12:34 AM, Changaco chang...@changaco.net mailto:chang...@changaco.net wrote: On Sun, 28 Oct 2012 17:07:24 -0400 Patrick Hurst wrote: How do you get a copy of cabal while making sure that somebody hasn't MITMed you and replaced the PGP key? Ultimately it is a DNS problem. To establish a secure connection with haskell.org http://haskell.org you'd have to get the certificate from the DNS, but that technology is not ready yet, so all you can do is check the key against as many sources as possible like Michael Walker said. On Sun, 28 Oct 2012 17:46:06 -0400 Patrick Hurst wrote: So why not use HTTPS? Because it doesn't solve the problem. ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org mailto:Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
Re: [Haskell-cafe] [Security] Put haskell.org on https
Sure. No matter what's done in Cabal, the clients for everything else will still be mainly browsers. On Mon, Oct 29, 2012 at 12:59 AM, Niklas Hambüchen m...@nh2.me wrote: No matter what we do with cabal, it would be great if I could soon point my browser at https://haskell.org *anyway*. On 28/10/12 23:55, Patrick Mylund Nielsen wrote: Of course, as long as Cabal itself is distributed through this same https-enabled site, you have the same PKI-backed security as just about any major website. This model has problems, yes, but it's good enough, and it's easy to use. If you really want to improve it (without impacting usability), have Google/the browser vendors pin the public cert for haskell.org http://haskell.org. On Mon, Oct 29, 2012 at 12:45 AM, Patrick Mylund Nielsen hask...@patrickmylund.com mailto:hask...@patrickmylund.com wrote: PGP tends to present many usability issues, and in this case it would make more sense/provide a clearer win if there were many different, semi-untrusted hackage mirrors. Just enable HTTPS and have Cabal validate the server certificate against a CA pool of one. PKI/trusting obscure certificate authorities in Egypt and Syria is the biggest concern here, not somebody MITMing your initial Cabal installation (which in a lot of cases happens through apt-get or yum, anyway.) On Mon, Oct 29, 2012 at 12:34 AM, Changaco chang...@changaco.net mailto:chang...@changaco.net wrote: On Sun, 28 Oct 2012 17:07:24 -0400 Patrick Hurst wrote: How do you get a copy of cabal while making sure that somebody hasn't MITMed you and replaced the PGP key? Ultimately it is a DNS problem. To establish a secure connection with haskell.org http://haskell.org you'd have to get the certificate from the DNS, but that technology is not ready yet, so all you can do is check the key against as many sources as possible like Michael Walker said. On Sun, 28 Oct 2012 17:46:06 -0400 Patrick Hurst wrote: So why not use HTTPS? Because it doesn't solve the problem. ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org mailto:Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
[Haskell-cafe] [Security] Put haskell.org on https
(I have mentioned this several times on #haskell, but nothing has happened so far.) Are you aware that all haskell.org websites (hackage, HaskellWiki, ghc trac) allow unencrypted http connections only? This means that everyone in the same Wifi can potentially - read you passwords for all of these services - abuse your hackage account and override arbitrary packages (especially since hackage allows everybody to override everything) I propose we get an SSL certificate for haskell.org. I also offer to donate that SSL certificate (or directly create it using my Startcom account). Niklas ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
