Thanks for this. If anyone wants to track our progress securing rust-lang.org, you can follow this issue:
https://github.com/rust-lang/rust/issues/16123 On Sun, Aug 3, 2014 at 12:04 PM, Bryce Fisher-Fleig <[email protected]> wrote: > Dear RustLangers, > > TL;DR:: > Only access rustup.sh at > https://raw.githubusercontent.com/rust-lang/rust-www/gh-pages/rustup.sh > and NOT at www.rust-lang.org. > > Full Story:: > If you're like me, you love the convenience of getting the lastest version > of the rust compiler and cargo updated via rustup.sh. However, this script > is delivered insecurely over HTTP. > > HTTP by itself provides no guarrantees that the content sent by the server > is the same as content received by client. Eric Butler created a firefox > extension called Firesheep that allows you to hijack any insecure session > cookies available on any computer on the wifi network [ > http://codebutler.com/firesheep/]. Joel Weinberger of the Google Chrome > security team recently explained how any content delivered over HTTP can be > changed by a malicious or compromised router between you and the server [ > https://www.youtube.com/watch?v=X1ZFjOZMSQg]. > > Why is this a problem for rustup.sh? Because we're encouraged to curl > rustup.sh and pipe the result to sudo. The problem is that an infected or > compromised router could insert malware into rustup.sh and run that code as > root. Now you no longer own your computer. > > What's the fix? ONLY ACCESS RUSTUP.SH OVER HTTPS. HTTPS more-or-less > guarrantees that the content sent from the server is what is delivered to > the client. Fortunately, github delivers all it's content securely over > HTTPS. You can have a high degree of confidence by simply accessing > rustup.sh from > https://raw.githubusercontent.com/rust-lang/rust-www/gh-pages/rustup.sh > > Why don't the maintainers of www.rust-lang.org deliver all the content > over HTTPS? www.rust-lang.org is hosted using GithubPages on a custom > domain. Unfortunately, GithubPages doesn't allow HTTPS for custom domains, > which is a pity. However, by using GithubPages any pull requests merged > into the repo are immediately reflected on www.rust-lang.org. Also, > GithubPages provides DDOS protection and is provided free of charge to open > source projects like Rust. So, all things considered, this seems like the > best course of action currently. > > Cheers, > Bryce > > _______________________________________________ > Rust-dev mailing list > [email protected] > https://mail.mozilla.org/listinfo/rust-dev > >
_______________________________________________ Rust-dev mailing list [email protected] https://mail.mozilla.org/listinfo/rust-dev
