diff --git a/.travis.yml b/.travis.yml
index 6b4d95e9c28581b2a7cb1b0483714a177d41919e..04e5b810abe8f9eae194ac18a3c6922451c38656 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -92,6 +92,7 @@ cache:
 before_cache:
  - rm -fv $HOME/.cabal/packages/hackage.haskell.org/build-reports.log
  - rm -fv $HOME/.cabal/packages/hackage.haskell.org/00-index*
+ - rm -fv $HOME/.cabal/packages/hackage.haskell.org/*.json
 
 # Deploy Haddocks to the haskell/cabal-website repo.
 after_success:
diff --git a/appveyor.yml b/appveyor.yml
index ae8ebe21885b0a9a5a28536f9b499fe01c6d8d35..e8d71b13d5db339466a8558ea7e5078348c7e118 100644
--- a/appveyor.yml
+++ b/appveyor.yml
@@ -26,6 +26,8 @@ build_script:
   - echo "" | ..\cabal install --only-dependencies --enable-tests
   - ..\cabal configure --user --ghc-option=-Werror --enable-tests
   - ..\cabal build
+  # update package index again, this time for the cabal under test
+  - dist\build\cabal\cabal.exe update
   - ..\cabal test unit-tests --show-details=streaming --test-option=--pattern=!FileMonitor --test-option=--hide-successes
   - ..\cabal test integration-tests --show-details=streaming --test-option=--pattern=!exec --test-option=--hide-successes
   - ..\cabal test integration-tests2 --show-details=streaming --test-option=--hide-successes
diff --git a/cabal-install/Distribution/Client/Config.hs b/cabal-install/Distribution/Client/Config.hs
index b06998bdce019d59830e2795e2cee80141dc67d6..015e93191a9a7cfe4cde8d8ac7d61e5e2c14c706 100644
--- a/cabal-install/Distribution/Client/Config.hs
+++ b/cabal-install/Distribution/Client/Config.hs
@@ -532,13 +532,9 @@ addInfoForKnownRepos repo
                   remoteRepoKeyThreshold = 0
                 } | secure /= Just False
             = r {
-              --TODO: When we want to switch us from using opt-in to opt-out
-              -- security for the central hackage server, uncomment the
-              -- following line. That will cause the default (of unspecified)
-              -- to get interpreted as if it were "secure: True". For the
-              -- moment it means the keys get added but you have to manually
-              -- set "secure: True" to opt-in.
-              --remoteRepoSecure       = Just True,
+                -- Use hackage-security by default unless you opt-out with
+                -- secure: False
+                remoteRepoSecure       = Just True,
                 remoteRepoRootKeys     = defaultHackageRemoteRepoKeys,
                 remoteRepoKeyThreshold = defaultHackageRemoteRepoKeyThreshold
               }
diff --git a/cabal-install/Distribution/Client/HttpUtils.hs b/cabal-install/Distribution/Client/HttpUtils.hs
index a50dd6b8a8fea3ba4143d89062d8886faddc680f..c678865d49ae9d9fed160fe1c0ca5d64922c3f32 100644
--- a/cabal-install/Distribution/Client/HttpUtils.hs
+++ b/cabal-install/Distribution/Client/HttpUtils.hs
@@ -27,6 +27,10 @@ import Network.Browser
 import Control.Applicative
 #endif
 import qualified Control.Exception as Exception
+import Control.Exception
+         ( evaluate )
+import Control.DeepSeq
+         ( force )
 import Control.Monad
          ( when, guard )
 import qualified Data.ByteString.Lazy.Char8 as BS
@@ -56,6 +60,8 @@ import System.FilePath
          ( (<.>) )
 import System.Directory
          ( doesFileExist, renameFile )
+import System.IO
+         ( withFile, IOMode(ReadMode), hGetContents, hClose )
 import System.IO.Error
          ( isDoesNotExistError )
 import Distribution.Simple.Program
@@ -70,7 +76,6 @@ import Distribution.Simple.Program.Run
         ( IOEncoding(..), getEffectiveEnvironment )
 import Numeric (showHex)
 import System.Directory (canonicalizePath)
-import System.IO (hClose)
 import System.FilePath (takeFileName, takeDirectory)
 import System.Random (randomRIO)
 import System.Exit (ExitCode(..))
@@ -340,9 +345,10 @@ curlTransport prog =
 
           resp <- getProgramInvocationOutput verbosity
                     (programInvocation prog args)
-          headers <- readFile tmpFile
-          (code, _err, etag') <- parseResponse uri resp headers
-          return (code, etag')
+          withFile tmpFile ReadMode $ \hnd -> do
+            headers <- hGetContents hnd
+            (code, _err, etag') <- parseResponse uri resp headers
+            evaluate $ force (code, etag')
 
     posthttp = noPostYet
 
@@ -387,8 +393,9 @@ curlTransport prog =
         (code, err, _etag) <- parseResponse uri resp ""
         return (code, err)
 
-    -- on success these curl involcations produces an output like "200"
+    -- on success these curl invocations produces an output like "200"
     -- and on failure it has the server error response first
+    parseResponse :: URI -> String -> String -> IO (Int, String, Maybe ETag)
     parseResponse uri resp headers =
       let codeerr =
             case reverse (lines resp) of
@@ -450,8 +457,9 @@ wgetTransport prog =
                                               "boundary=" ++ boundary ]
           out <- runWGet verbosity (addUriAuth auth uri) args
           (code, _etag) <- parseOutput uri out
-          resp <- readFile responseFile
-          return (code, resp)
+          withFile responseFile ReadMode $ \hnd -> do
+            resp <- hGetContents hnd
+            evaluate $ force (code, resp)
 
     puthttpfile verbosity uri path auth headers =
         withTempFile (takeDirectory path) "response" $ \responseFile responseHandle -> do
@@ -466,8 +474,9 @@ wgetTransport prog =
 
             out <- runWGet verbosity (addUriAuth auth uri) args
             (code, _etag) <- parseOutput uri out
-            resp <- readFile responseFile
-            return (code, resp)
+            withFile responseFile ReadMode $ \hnd -> do
+              resp <- hGetContents hnd
+              evaluate $ force (code, resp)
 
     addUriAuth Nothing uri = uri
     addUriAuth (Just (user, pass)) uri = uri
diff --git a/cabal-install/cabal-install.cabal b/cabal-install/cabal-install.cabal
index f9357d6e4cca2e5b677612d9c721c816802193a2..78cbe6f1113a413645e1125c47eef4f266c5afaf 100644
--- a/cabal-install/cabal-install.cabal
+++ b/cabal-install/cabal-install.cabal
@@ -367,6 +367,7 @@ executable cabal
         Cabal      >= 1.25     && < 1.26,
         containers >= 0.4      && < 0.6,
         cryptohash-sha256 >= 0.11 && < 0.12,
+        deepseq    >= 1.3      && < 1.5,
         filepath   >= 1.3      && < 1.5,
         hashable   >= 1.0      && < 2,
         HTTP       >= 4000.1.5 && < 4000.4,
@@ -453,6 +454,7 @@ Test-Suite unit-tests
         bytestring,
         Cabal,
         containers,
+        deepseq,
         mtl,
         pretty,
         process,
@@ -613,6 +615,7 @@ test-suite integration-tests2
         Cabal,
         containers,
         cryptohash-sha256,
+        deepseq,
         directory,
         filepath,
         hackage-security,
diff --git a/travis-script.sh b/travis-script.sh
index 7f1792853b4a505c60d2caa01af6346f84e1f583..3914339ae5da2726b5bfe56b04132c2180b6939e 100755
--- a/travis-script.sh
+++ b/travis-script.sh
@@ -86,6 +86,11 @@ timed cabal new-build cabal-install:cabal \
                       cabal-install:unit-tests \
                       cabal-install:solver-quickcheck
 
+# The integration-tests2 need the hackage index, and need it in the secure
+# format, which is not necessarily the default format of the bootstrap cabal.
+# If the format does match then this will be very quick.
+timed ${CABAL_INSTALL_BDIR}/build/cabal/cabal update
+
 # Run tests
 (cd cabal-install && timed ${CABAL_INSTALL_BDIR}/build/unit-tests/unit-tests         $TEST_OPTIONS) || exit $?
 (cd cabal-install && timed ${CABAL_INSTALL_BDIR}/build/solver-quickcheck/solver-quickcheck  $TEST_OPTIONS --quickcheck-tests=1000) || exit $?