[opam-devel] ssl and https compression

Roberto Di Cosmo roberto at dicosmo.org
Tue Apr 8 13:39:51 BST 2014


Ok, if you can look into this, I believe you are the most
qualified to propose a solution ;-)

On Tue, Apr 08, 2014 at 10:44:23AM +0100, Anil Madhavapeddy wrote:
> Should work, but need to check the intersection of content negotiation to ensure that Nginx won't just transmit that encrypted using transfer-encoding instead.  If I remember right, we use a Stud SSL terminator in front of Nginx, so this shouldn't happen...
> 
> -anil
> 
> On 8 Apr 2014, at 10:21, Roberto Di Cosmo <roberto at dicosmo.org> wrote:
> 
> > What about providing by default also an url.txt.gz, like is done for
> > index.tar.gz, and have the new versions of opam look for this?
> > 
> > That would make us independent of any extra communication layer complications
> > 
> > On Tue, Apr 08, 2014 at 09:35:49AM +0100, Anil Madhavapeddy wrote:
> >> I've upgraded the opam.ocaml.org VM for the latest SSL security drama, but we should probably revisit not depending on HTTP compression and SSL together, as there are several known attacks against this combination: http://en.wikipedia.org/wiki/CRIME
> >> 
> >> This isn't an immediate problem for urls.txt, but perhaps having a non-HTTPS way of retrieving URLs.txt is a good idea for OPAM 1.2 to account for future issues (e.g. via git?)
> >> 
> >> -a
> >> _______________________________________________
> >> opam-devel mailing list
> >> opam-devel at lists.ocaml.org
> >> http://lists.ocaml.org/listinfo/opam-devel
> > 
> > -- 
> > Roberto Di Cosmo
> > 
> > ------------------------------------------------------------------
> > Professeur               En delegation a l'INRIA
> > PPS                      E-mail: roberto at dicosmo.org
> > Universite Paris Diderot WWW  : http://www.dicosmo.org
> > Case 7014                Tel  : ++33-(0)1-57 27 92 20
> > 5, Rue Thomas Mann       
> > F-75205 Paris Cedex 13   Identica: http://identi.ca/rdicosmo
> > FRANCE.                  Twitter: http://twitter.com/rdicosmo
> > ------------------------------------------------------------------
> > Attachments:
> > MIME accepted, Word deprecated
> >      http://www.gnu.org/philosophy/no-word-attachments.html
> > ------------------------------------------------------------------
> > Office location:
> > 
> > Bureau 3020 (3rd floor)
> > Batiment Sophie Germain
> > Avenue de France
> > Metro Bibliotheque Francois Mitterrand, ligne 14/RER C
> > -----------------------------------------------------------------
> > GPG fingerprint 2931 20CE 3A5A 5390 98EC 8BFC FCCA C3BE 39CB 12D3                        
> > 
> 

-- 
Roberto Di Cosmo
 
------------------------------------------------------------------
Professeur               En delegation a l'INRIA
PPS                      E-mail: roberto at dicosmo.org
Universite Paris Diderot WWW  : http://www.dicosmo.org
Case 7014                Tel  : ++33-(0)1-57 27 92 20
5, Rue Thomas Mann       
F-75205 Paris Cedex 13   Identica: http://identi.ca/rdicosmo
FRANCE.                  Twitter: http://twitter.com/rdicosmo
------------------------------------------------------------------
Attachments:
MIME accepted, Word deprecated
      http://www.gnu.org/philosophy/no-word-attachments.html
------------------------------------------------------------------
Office location:
 
Bureau 3020 (3rd floor)
Batiment Sophie Germain
Avenue de France
Metro Bibliotheque Francois Mitterrand, ligne 14/RER C
-----------------------------------------------------------------
GPG fingerprint 2931 20CE 3A5A 5390 98EC 8BFC FCCA C3BE 39CB 12D3                        


More information about the opam-devel mailing list