Ticket #946 (new defect)
Opened 13 months ago
Packages are downloaded insecurely
|Reported by:||cooldude||Owned by:|
It appears that when running cabal install package, the package is downloaded without any transport security.
Anyone who can perform a man in the middle attack could tamper with the package that is being downloaded, resulting in a complete compromise of the cabal user.
This makes it impossible to use cabal.
The servers should utilize TLS, it is possible to get a free certificate from startcom if price is a concern.
Additionally when packages are verified as non-malicious, they should be signed with a "cabal" signing key, and then the package signatures should be verified by cabal.