Dear RustLangers, TL;DR:: Only access rustup.sh at https://raw.githubusercontent.com/rust-lang/rust-www/gh-pages/rustup.sh and NOT at www.rust-lang.org.
Full Story:: If you're like me, you love the convenience of getting the lastest version of the rust compiler and cargo updated via rustup.sh. However, this script is delivered insecurely over HTTP. HTTP by itself provides no guarrantees that the content sent by the server is the same as content received by client. Eric Butler created a firefox extension called Firesheep that allows you to hijack any insecure session cookies available on any computer on the wifi network [ http://codebutler.com/firesheep/]. Joel Weinberger of the Google Chrome security team recently explained how any content delivered over HTTP can be changed by a malicious or compromised router between you and the server [ https://www.youtube.com/watch?v=X1ZFjOZMSQg]. Why is this a problem for rustup.sh? Because we're encouraged to curl rustup.sh and pipe the result to sudo. The problem is that an infected or compromised router could insert malware into rustup.sh and run that code as root. Now you no longer own your computer. What's the fix? ONLY ACCESS RUSTUP.SH OVER HTTPS. HTTPS more-or-less guarrantees that the content sent from the server is what is delivered to the client. Fortunately, github delivers all it's content securely over HTTPS. You can have a high degree of confidence by simply accessing rustup.sh from https://raw.githubusercontent.com/rust-lang/rust-www/gh-pages/rustup.sh Why don't the maintainers of www.rust-lang.org deliver all the content over HTTPS? www.rust-lang.org is hosted using GithubPages on a custom domain. Unfortunately, GithubPages doesn't allow HTTPS for custom domains, which is a pity. However, by using GithubPages any pull requests merged into the repo are immediately reflected on www.rust-lang.org. Also, GithubPages provides DDOS protection and is provided free of charge to open source projects like Rust. So, all things considered, this seems like the best course of action currently. Cheers, Bryce
_______________________________________________ Rust-dev mailing list Rust-dev@mozilla.org https://mail.mozilla.org/listinfo/rust-dev
