Thanks for pointing me to this issue!! I opened a similar issue on rust-www and got no responses for days.
I've actually setup SSL + CloudFront for my own blog and I have some experience with this. On Sun, Aug 3, 2014 at 12:07 PM, Erick Tryzelaar <[email protected]> wrote: > Thanks for this. If anyone wants to track our progress securing > rust-lang.org, you can follow this issue: > > https://github.com/rust-lang/rust/issues/16123 > > > On Sun, Aug 3, 2014 at 12:04 PM, Bryce Fisher-Fleig < > [email protected]> wrote: > >> Dear RustLangers, >> >> TL;DR:: >> Only access rustup.sh at >> https://raw.githubusercontent.com/rust-lang/rust-www/gh-pages/rustup.sh >> and NOT at www.rust-lang.org. >> >> Full Story:: >> If you're like me, you love the convenience of getting the lastest >> version of the rust compiler and cargo updated via rustup.sh. However, this >> script is delivered insecurely over HTTP. >> >> HTTP by itself provides no guarrantees that the content sent by the >> server is the same as content received by client. Eric Butler created a >> firefox extension called Firesheep that allows you to hijack any insecure >> session cookies available on any computer on the wifi network [ >> http://codebutler.com/firesheep/]. Joel Weinberger of the Google Chrome >> security team recently explained how any content delivered over HTTP can be >> changed by a malicious or compromised router between you and the server [ >> https://www.youtube.com/watch?v=X1ZFjOZMSQg]. >> >> Why is this a problem for rustup.sh? Because we're encouraged to curl >> rustup.sh and pipe the result to sudo. The problem is that an infected or >> compromised router could insert malware into rustup.sh and run that code as >> root. Now you no longer own your computer. >> >> What's the fix? ONLY ACCESS RUSTUP.SH OVER HTTPS. HTTPS more-or-less >> guarrantees that the content sent from the server is what is delivered to >> the client. Fortunately, github delivers all it's content securely over >> HTTPS. You can have a high degree of confidence by simply accessing >> rustup.sh from >> https://raw.githubusercontent.com/rust-lang/rust-www/gh-pages/rustup.sh >> >> Why don't the maintainers of www.rust-lang.org deliver all the content >> over HTTPS? www.rust-lang.org is hosted using GithubPages on a custom >> domain. Unfortunately, GithubPages doesn't allow HTTPS for custom domains, >> which is a pity. However, by using GithubPages any pull requests merged >> into the repo are immediately reflected on www.rust-lang.org. Also, >> GithubPages provides DDOS protection and is provided free of charge to open >> source projects like Rust. So, all things considered, this seems like the >> best course of action currently. >> >> Cheers, >> Bryce >> >> _______________________________________________ >> Rust-dev mailing list >> [email protected] >> https://mail.mozilla.org/listinfo/rust-dev >> >> >
_______________________________________________ Rust-dev mailing list [email protected] https://mail.mozilla.org/listinfo/rust-dev
