[Security] Put haskell.org on https

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
35 messages Options
12
Reply | Threaded
Open this post in threaded view
|

[Security] Put haskell.org on https

Niklas Hambüchen
(I have mentioned this several times on #haskell, but nothing has
happened so far.)

Are you aware that all haskell.org websites (hackage, HaskellWiki, ghc
trac) allow unencrypted http connections only?

This means that everyone in the same Wifi can potentially

- read you passwords for all of these services

- abuse your hackage account and override arbitrary packages
  (especially since hackage allows everybody to override everything)


I propose we get an SSL certificate for haskell.org.
I also offer to donate that SSL certificate (or directly create it using
my Startcom account).

Niklas

_______________________________________________
Haskell-Cafe mailing list
[hidden email]
http://www.haskell.org/mailman/listinfo/haskell-cafe
Reply | Threaded
Open this post in threaded view
|

Re: [Security] Put haskell.org on https

José Pedro Magalhães
+1


Pedro

On Sun, Oct 28, 2012 at 12:20 AM, Niklas Hambüchen <[hidden email]> wrote:
(I have mentioned this several times on #haskell, but nothing has
happened so far.)

Are you aware that all haskell.org websites (hackage, HaskellWiki, ghc
trac) allow unencrypted http connections only?

This means that everyone in the same Wifi can potentially

- read you passwords for all of these services

- abuse your hackage account and override arbitrary packages
  (especially since hackage allows everybody to override everything)


I propose we get an SSL certificate for haskell.org.
I also offer to donate that SSL certificate (or directly create it using
my Startcom account).

Niklas

_______________________________________________
Haskell-Cafe mailing list
[hidden email]
http://www.haskell.org/mailman/listinfo/haskell-cafe


_______________________________________________
Haskell-Cafe mailing list
[hidden email]
http://www.haskell.org/mailman/listinfo/haskell-cafe
Reply | Threaded
Open this post in threaded view
|

Re: [Security] Put haskell.org on https

Francesco Mazzoli
In reply to this post by Niklas Hambüchen
At Sun, 28 Oct 2012 00:20:16 +0100,
Niklas Hambüchen wrote:

> (I have mentioned this several times on #haskell, but nothing has
> happened so far.)
>
> Are you aware that all haskell.org websites (hackage, HaskellWiki, ghc
> trac) allow unencrypted http connections only?
>
> This means that everyone in the same Wifi can potentially
>
> - read you passwords for all of these services
>
> - abuse your hackage account and override arbitrary packages
>   (especially since hackage allows everybody to override everything)
>
>
> I propose we get an SSL certificate for haskell.org.
> I also offer to donate that SSL certificate (or directly create it using
> my Startcom account).

Agreed, I can chip in - but I think a certificate is pretty cheap nowadays :).

--
Francesco

_______________________________________________
Haskell-Cafe mailing list
[hidden email]
http://www.haskell.org/mailman/listinfo/haskell-cafe
Reply | Threaded
Open this post in threaded view
|

Re: [Security] Put haskell.org on https

Petr Pudlák
2012/10/28 Francesco Mazzoli <[hidden email]>:

> At Sun, 28 Oct 2012 00:20:16 +0100,
> Niklas Hambüchen wrote:
>> (I have mentioned this several times on #haskell, but nothing has
>> happened so far.)
>>
>> Are you aware that all haskell.org websites (hackage, HaskellWiki, ghc
>> trac) allow unencrypted http connections only?
>>
>> This means that everyone in the same Wifi can potentially
>>
>> - read you passwords for all of these services
>>
>> - abuse your hackage account and override arbitrary packages
>>   (especially since hackage allows everybody to override everything)
>>
>>
>> I propose we get an SSL certificate for haskell.org.
>> I also offer to donate that SSL certificate (or directly create it using
>> my Startcom account).
>
> Agreed, I can chip in - but I think a certificate is pretty cheap nowadays :).

Good idea, I completely support it. Major sites like Google, Github,
BitBucket, etc. are https only nowadays.

Petr Pudlak

_______________________________________________
Haskell-Cafe mailing list
[hidden email]
http://www.haskell.org/mailman/listinfo/haskell-cafe
Reply | Threaded
Open this post in threaded view
|

Re: [Security] Put haskell.org on https

Ramana Kumar-2
I support this proposal too.
More reasons to use HTTPS can be found at https://www.eff.org/https-everywhere/deploying-https

On Sun, Oct 28, 2012 at 8:51 AM, Petr P <[hidden email]> wrote:
2012/10/28 Francesco Mazzoli <[hidden email]>:
> At Sun, 28 Oct 2012 00:20:16 +0100,
> Niklas Hambüchen wrote:
>> (I have mentioned this several times on #haskell, but nothing has
>> happened so far.)
>>
>> Are you aware that all haskell.org websites (hackage, HaskellWiki, ghc
>> trac) allow unencrypted http connections only?
>>
>> This means that everyone in the same Wifi can potentially
>>
>> - read you passwords for all of these services
>>
>> - abuse your hackage account and override arbitrary packages
>>   (especially since hackage allows everybody to override everything)
>>
>>
>> I propose we get an SSL certificate for haskell.org.
>> I also offer to donate that SSL certificate (or directly create it using
>> my Startcom account).
>
> Agreed, I can chip in - but I think a certificate is pretty cheap nowadays :).

Good idea, I completely support it. Major sites like Google, Github,
BitBucket, etc. are https only nowadays.

Petr Pudlak

_______________________________________________
Haskell-Cafe mailing list
[hidden email]
http://www.haskell.org/mailman/listinfo/haskell-cafe


_______________________________________________
Haskell-Cafe mailing list
[hidden email]
http://www.haskell.org/mailman/listinfo/haskell-cafe
Reply | Threaded
Open this post in threaded view
|

Re: [Security] Put haskell.org on https

Dmitry V'yal
In reply to this post by Niklas Hambüchen
On 10/28/2012 03:20 AM, Niklas Hambüchen wrote:
> - abuse your hackage account and override arbitrary packages
>    (especially since hackage allows everybody to override everything)
Does hackage at least store the logs of packages uploads? What's the
reason or such a security model? I guess it was appropriate in the past
when hackage was an experimental service, but now it's a standard way of
distributing Haskell code. If anyone can update any package, we are
waiting for the disaster. I have some haskell code I wrote myself
running as root and these thoughts make me shiver.

Https is a must-have in current situation, but it's only part of a solution.

_______________________________________________
Haskell-Cafe mailing list
[hidden email]
http://www.haskell.org/mailman/listinfo/haskell-cafe
Reply | Threaded
Open this post in threaded view
|

Re: [Security] Put haskell.org on https

Francesco Mazzoli
At Sun, 28 Oct 2012 14:59:00 +0400,
Dmitry Vyal wrote:
> Does hackage at least store the logs of packages uploads? What's the reason or
> such a security model? I guess it was appropriate in the past when hackage was
> an experimental service, but now it's a standard way of distributing Haskell
> code. If anyone can update any package, we are waiting for the disaster. I
> have some haskell code I wrote myself running as root and these thoughts make
> me shiver.

There is no good reason for it to be like that, it is truly bad.  Hackage2 has
been in the works for a while and will fix this "problem".  More information
here: <http://hackage.haskell.org/trac/hackage/wiki/HackageDB/2.0>.

_______________________________________________
Haskell-Cafe mailing list
[hidden email]
http://www.haskell.org/mailman/listinfo/haskell-cafe
Reply | Threaded
Open this post in threaded view
|

Re: [Security] Put haskell.org on https

Erik Hesselink
In reply to this post by Niklas Hambüchen
While I would love to have hackage available (or even forced) over
https, I think the biggest reason it currently isn't, is that cabal
would then also need https support. This means the HTTP library would
need https support, which I've heard will be hard to implement
cross-platform (read: on Windows).

However, I guess providing https as an option is still a huge step
forwards compared to the current situation.

Erik

On Sun, Oct 28, 2012 at 1:20 AM, Niklas Hambüchen <[hidden email]> wrote:

> (I have mentioned this several times on #haskell, but nothing has
> happened so far.)
>
> Are you aware that all haskell.org websites (hackage, HaskellWiki, ghc
> trac) allow unencrypted http connections only?
>
> This means that everyone in the same Wifi can potentially
>
> - read you passwords for all of these services
>
> - abuse your hackage account and override arbitrary packages
>   (especially since hackage allows everybody to override everything)
>
>
> I propose we get an SSL certificate for haskell.org.
> I also offer to donate that SSL certificate (or directly create it using
> my Startcom account).
>
> Niklas
>
> _______________________________________________
> Haskell-Cafe mailing list
> [hidden email]
> http://www.haskell.org/mailman/listinfo/haskell-cafe

_______________________________________________
Haskell-Cafe mailing list
[hidden email]
http://www.haskell.org/mailman/listinfo/haskell-cafe
Reply | Threaded
Open this post in threaded view
|

Re: [Security] Put haskell.org on https

Petr Pudlák
  Erik,

does cabal need to do any authenticated stuff? For downloading
packages I think HTTP is perfectly fine. So we could have HTTP for
cabal download only and HTTPS for everything else.

  Best regards,
  Petr Pudlak

2012/10/28 Erik Hesselink <[hidden email]>:

> While I would love to have hackage available (or even forced) over
> https, I think the biggest reason it currently isn't, is that cabal
> would then also need https support. This means the HTTP library would
> need https support, which I've heard will be hard to implement
> cross-platform (read: on Windows).
>
> However, I guess providing https as an option is still a huge step
> forwards compared to the current situation.
>
> Erik
>
> On Sun, Oct 28, 2012 at 1:20 AM, Niklas Hambüchen <[hidden email]> wrote:
>> (I have mentioned this several times on #haskell, but nothing has
>> happened so far.)
>>
>> Are you aware that all haskell.org websites (hackage, HaskellWiki, ghc
>> trac) allow unencrypted http connections only?
>>
>> This means that everyone in the same Wifi can potentially
>>
>> - read you passwords for all of these services
>>
>> - abuse your hackage account and override arbitrary packages
>>   (especially since hackage allows everybody to override everything)
>>
>>
>> I propose we get an SSL certificate for haskell.org.
>> I also offer to donate that SSL certificate (or directly create it using
>> my Startcom account).
>>
>> Niklas
>>
>> _______________________________________________
>> Haskell-Cafe mailing list
>> [hidden email]
>> http://www.haskell.org/mailman/listinfo/haskell-cafe
>
> _______________________________________________
> Haskell-Cafe mailing list
> [hidden email]
> http://www.haskell.org/mailman/listinfo/haskell-cafe

_______________________________________________
Haskell-Cafe mailing list
[hidden email]
http://www.haskell.org/mailman/listinfo/haskell-cafe
Reply | Threaded
Open this post in threaded view
|

Re: [Security] Put haskell.org on https

Erik Hesselink
I think it is only needed for 'cabal upload'. So if you upload via the
web only, you'd never send your password over plain HTTP.

Erik

On Sun, Oct 28, 2012 at 1:38 PM, Petr P <[hidden email]> wrote:

>   Erik,
>
> does cabal need to do any authenticated stuff? For downloading
> packages I think HTTP is perfectly fine. So we could have HTTP for
> cabal download only and HTTPS for everything else.
>
>   Best regards,
>   Petr Pudlak
>
> 2012/10/28 Erik Hesselink <[hidden email]>:
>> While I would love to have hackage available (or even forced) over
>> https, I think the biggest reason it currently isn't, is that cabal
>> would then also need https support. This means the HTTP library would
>> need https support, which I've heard will be hard to implement
>> cross-platform (read: on Windows).
>>
>> However, I guess providing https as an option is still a huge step
>> forwards compared to the current situation.
>>
>> Erik
>>
>> On Sun, Oct 28, 2012 at 1:20 AM, Niklas Hambüchen <[hidden email]> wrote:
>>> (I have mentioned this several times on #haskell, but nothing has
>>> happened so far.)
>>>
>>> Are you aware that all haskell.org websites (hackage, HaskellWiki, ghc
>>> trac) allow unencrypted http connections only?
>>>
>>> This means that everyone in the same Wifi can potentially
>>>
>>> - read you passwords for all of these services
>>>
>>> - abuse your hackage account and override arbitrary packages
>>>   (especially since hackage allows everybody to override everything)
>>>
>>>
>>> I propose we get an SSL certificate for haskell.org.
>>> I also offer to donate that SSL certificate (or directly create it using
>>> my Startcom account).
>>>
>>> Niklas
>>>
>>> _______________________________________________
>>> Haskell-Cafe mailing list
>>> [hidden email]
>>> http://www.haskell.org/mailman/listinfo/haskell-cafe
>>
>> _______________________________________________
>> Haskell-Cafe mailing list
>> [hidden email]
>> http://www.haskell.org/mailman/listinfo/haskell-cafe

_______________________________________________
Haskell-Cafe mailing list
[hidden email]
http://www.haskell.org/mailman/listinfo/haskell-cafe
Reply | Threaded
Open this post in threaded view
|

Re: [Security] Put haskell.org on https

Iustin Pop
In reply to this post by Petr Pudlák
On Sun, Oct 28, 2012 at 01:38:46PM +0100, Petr P wrote:
>   Erik,
>
> does cabal need to do any authenticated stuff? For downloading
> packages I think HTTP is perfectly fine. So we could have HTTP for
> cabal download only and HTTPS for everything else.

Kindly disagree here. Ensuring that packages are downloaded
safely/correctly without MITM attacks is also important. Even if as an
option.

regards,
iustin

_______________________________________________
Haskell-Cafe mailing list
[hidden email]
http://www.haskell.org/mailman/listinfo/haskell-cafe
Reply | Threaded
Open this post in threaded view
|

Re: [Security] Put haskell.org on https

Petr Pudlák
2012/10/28 Iustin Pop <[hidden email]>:
> On Sun, Oct 28, 2012 at 01:38:46PM +0100, Petr P wrote:
>> does cabal need to do any authenticated stuff? For downloading
>> packages I think HTTP is perfectly fine. So we could have HTTP for
>> cabal download only and HTTPS for everything else.
>
> Kindly disagree here. Ensuring that packages are downloaded
> safely/correctly without MITM attacks is also important. Even if as an
> option.

Good point. But if cabal+https is a problem, this could be solved by
other means too, for example by signing the packages.

Best regards,
Petr Pudlak

_______________________________________________
Haskell-Cafe mailing list
[hidden email]
http://www.haskell.org/mailman/listinfo/haskell-cafe
Reply | Threaded
Open this post in threaded view
|

Re: [Security] Put haskell.org on https

Iustin Pop
On Sun, Oct 28, 2012 at 03:53:04PM +0100, Petr P wrote:

> 2012/10/28 Iustin Pop <[hidden email]>:
> > On Sun, Oct 28, 2012 at 01:38:46PM +0100, Petr P wrote:
> >> does cabal need to do any authenticated stuff? For downloading
> >> packages I think HTTP is perfectly fine. So we could have HTTP for
> >> cabal download only and HTTPS for everything else.
> >
> > Kindly disagree here. Ensuring that packages are downloaded
> > safely/correctly without MITM attacks is also important. Even if as an
> > option.
>
> Good point. But if cabal+https is a problem, this could be solved by
> other means too, for example by signing the packages.

Well, I agree, but then the same could be applied on upload too, like
Debian does - instead of user+pw, register a GPG key.

iustin

_______________________________________________
Haskell-Cafe mailing list
[hidden email]
http://www.haskell.org/mailman/listinfo/haskell-cafe
Reply | Threaded
Open this post in threaded view
|

Re: [Security] Put haskell.org on https

Changaco
In reply to this post by Iustin Pop
On Sun, 28 Oct 2012 14:45:02 +0100 Iustin Pop wrote:
> Kindly disagree here. Ensuring that packages are downloaded
> safely/correctly without MITM attacks is also important. Even if as an
> option.

HTTPS doesn't fully protect against a MITM since there is no shared
secret between client and server prior to the connection.

The MITM can use a self-signed certificate, or possibly a certificate
signed by a compromised CA.

_______________________________________________
Haskell-Cafe mailing list
[hidden email]
http://www.haskell.org/mailman/listinfo/haskell-cafe
Reply | Threaded
Open this post in threaded view
|

Re: [Security] Put haskell.org on https

Iustin Pop
On Sun, Oct 28, 2012 at 04:26:07PM +0100, Changaco wrote:

> On Sun, 28 Oct 2012 14:45:02 +0100 Iustin Pop wrote:
> > Kindly disagree here. Ensuring that packages are downloaded
> > safely/correctly without MITM attacks is also important. Even if as an
> > option.
>
> HTTPS doesn't fully protect against a MITM since there is no shared
> secret between client and server prior to the connection.
>
> The MITM can use a self-signed certificate, or possibly a certificate
> signed by a compromised CA.

Sure, but I was talking about a proper certificate signed by a
well-known registrar, at which point the https client would default to
verify the signature against the system certificate store.

Yes, I'm fully aware that this is not fully safe, but I hope you agree
that https with a proper certificate is much better than plain http.

regards,
iustin

_______________________________________________
Haskell-Cafe mailing list
[hidden email]
http://www.haskell.org/mailman/listinfo/haskell-cafe
Reply | Threaded
Open this post in threaded view
|

Re: [Security] Put haskell.org on https

Changaco
On Sun, 28 Oct 2012 16:39:10 +0100 Iustin Pop wrote:
> Sure, but I was talking about a proper certificate signed by a
> well-known registrar, at which point the https client would default to
> verify the signature against the system certificate store.

It doesn't matter what kind of certificate the server uses since the
client generally doesn't know about it, especially on first connection.
Some programs remember the certificate between uses and inform you
when it changes, but that's not perfect either.

> Yes, I'm fully aware that this is not fully safe, but I hope you agree
> that https with a proper certificate is much better than plain http.

I agree that X.509 provides some protection, but PGP is better.

My point was: when possible don't rely on X.509 for security, build a
Web of Trust instead.

_______________________________________________
Haskell-Cafe mailing list
[hidden email]
http://www.haskell.org/mailman/listinfo/haskell-cafe
Reply | Threaded
Open this post in threaded view
|

Re: [Security] Put haskell.org on https

Petr Pudlák
2012/10/28 Changaco <[hidden email]>:
> It doesn't matter what kind of certificate the server uses since the
> client generally doesn't know about it, especially on first connection.
> Some programs remember the certificate between uses and inform you
> when it changes, but that's not perfect either.

In this particular case, cabal can have the public part of the
certificate built-in (as it has the web address built in). So once one
has a verified installation of cabal, it can verify the server
packages without being susceptible to MitM attack (no matter if
they're PGP signed or X.509 signed).

Best regards,
Petr Pudlak

_______________________________________________
Haskell-Cafe mailing list
[hidden email]
http://www.haskell.org/mailman/listinfo/haskell-cafe
Reply | Threaded
Open this post in threaded view
|

Re: [Security] Put haskell.org on https

Iustin Pop
In reply to this post by Changaco
On Sun, Oct 28, 2012 at 05:10:39PM +0100, Changaco wrote:
> On Sun, 28 Oct 2012 16:39:10 +0100 Iustin Pop wrote:
> > Sure, but I was talking about a proper certificate signed by a
> > well-known registrar, at which point the https client would default to
> > verify the signature against the system certificate store.
>
> It doesn't matter what kind of certificate the server uses since the
> client generally doesn't know about it, especially on first connection.
> Some programs remember the certificate between uses and inform you
> when it changes, but that's not perfect either.

The client doesn't have to know about it, if it can verify a chain of
trust via the system cert store, as I said above.

regards,
iustin

_______________________________________________
Haskell-Cafe mailing list
[hidden email]
http://www.haskell.org/mailman/listinfo/haskell-cafe
Reply | Threaded
Open this post in threaded view
|

Re: [Security] Put haskell.org on https

Henk-Jan van Tuyl
In reply to this post by Petr Pudlák
On Sun, 28 Oct 2012 13:38:46 +0100, Petr P <[hidden email]> wrote:

>   Erik,
>
> does cabal need to do any authenticated stuff? For downloading
> packages I think HTTP is perfectly fine. So we could have HTTP for
> cabal download only and HTTPS for everything else.
>
>   Best regards,
>   Petr Pudlak
>

Without checking a certificate, it could be that you are connected to a  
false server; without encryption, the package could be replaced by another  
package (a man-in-the-middle attack).

Regards,
Henk-Jan van Tuyl


--
http://Van.Tuyl.eu/
http://members.chello.nl/hjgtuyl/tourdemonad.html
Haskell programming
--

_______________________________________________
Haskell-Cafe mailing list
[hidden email]
http://www.haskell.org/mailman/listinfo/haskell-cafe
Reply | Threaded
Open this post in threaded view
|

Re: [Security] Put haskell.org on https

Patrick Hurst-2
In reply to this post by Changaco

On Oct 28, 2012, at 12:10 PM, Changaco <[hidden email]> wrote:

> On Sun, 28 Oct 2012 16:39:10 +0100 Iustin Pop wrote:
>> Sure, but I was talking about a proper certificate signed by a
>> well-known registrar, at which point the https client would default to
>> verify the signature against the system certificate store.
>
> It doesn't matter what kind of certificate the server uses since the
> client generally doesn't know about it, especially on first connection.
> Some programs remember the certificate between uses and inform you
> when it changes, but that's not perfect either.
>
>> Yes, I'm fully aware that this is not fully safe, but I hope you agree
>> that https with a proper certificate is much better than plain http.
>
> I agree that X.509 provides some protection, but PGP is better.
>
> My point was: when possible don't rely on X.509 for security, build a
> Web of Trust instead.
>

The reason HTTPS works is that most operating systems will have a list of some number of root CAs (or a way to get them via some other channel that the OS trusts, such as through GPG-signed packages) that it implicitly trusts. The user gets the security without any extra effort on their end.

On the other hand, with PGP, any user who wants to be secure but doesn't use GPG would have to verify the identity of whoever signed the Cabal GPG key, and most non-Linux operating systems don't come with a list of trusted GPG keys. So how do they get them without using HTTPS (since if you use HTTPS to figure out what keys you trust, your scheme is no more secure than HTTPS)?
_______________________________________________
Haskell-Cafe mailing list
[hidden email]
http://www.haskell.org/mailman/listinfo/haskell-cafe
12