[opam-devel] ssl and https compression

Anil Madhavapeddy anil at recoil.org
Tue Apr 8 09:35:49 BST 2014


I've upgraded the opam.ocaml.org VM for the latest SSL security drama, but we should probably revisit not depending on HTTP compression and SSL together, as there are several known attacks against this combination: http://en.wikipedia.org/wiki/CRIME

This isn't an immediate problem for urls.txt, but perhaps having a non-HTTPS way of retrieving URLs.txt is a good idea for OPAM 1.2 to account for future issues (e.g. via git?)

-a


More information about the opam-devel mailing list