[opam-devel] ssl and https compression
Anil Madhavapeddy
anil at recoil.org
Tue Apr 8 09:35:49 BST 2014
I've upgraded the opam.ocaml.org VM for the latest SSL security drama, but we should probably revisit not depending on HTTP compression and SSL together, as there are several known attacks against this combination: http://en.wikipedia.org/wiki/CRIME
This isn't an immediate problem for urls.txt, but perhaps having a non-HTTPS way of retrieving URLs.txt is a good idea for OPAM 1.2 to account for future issues (e.g. via git?)
-a
More information about the opam-devel
mailing list