On 03/08/14 03:04 PM, Bryce Fisher-Fleig wrote: > Dear RustLangers, > > TL;DR:: > Only access rustup.sh at > https://raw.githubusercontent.com/rust-lang/rust-www/gh-pages/rustup.sh > and NOT at www.rust-lang.org <http://www.rust-lang.org>. > > Full Story:: > If you're like me, you love the convenience of getting the lastest > version of the rust compiler and cargo updated via rustup.sh. However, > this script is delivered insecurely over HTTP. > > HTTP by itself provides no guarrantees that the content sent by the > server is the same as content received by client. Eric Butler created a > firefox extension called Firesheep that allows you to hijack any > insecure session cookies available on any computer on the wifi network > [http://codebutler.com/firesheep/]. Joel Weinberger of the Google Chrome > security team recently explained how any content delivered over HTTP can > be changed by a malicious or compromised router between you and the > server [https://www.youtube.com/watch?v=X1ZFjOZMSQg]. > > Why is this a problem for rustup.sh? Because we're encouraged to curl > rustup.sh and pipe the result to sudo. The problem is that an infected > or compromised router could insert malware into rustup.sh and run that > code as root. Now you no longer own your computer. > > What's the fix? ONLY ACCESS RUSTUP.SH OVER HTTPS. HTTPS more-or-less > guarrantees that the content sent from the server is what is delivered > to the client. Fortunately, github delivers all it's content securely > over HTTPS. You can have a high degree of confidence by simply accessing > rustup.sh from > https://raw.githubusercontent.com/rust-lang/rust-www/gh-pages/rustup.sh > > Why don't the maintainers of www.rust-lang.org > <http://www.rust-lang.org> deliver all the content over HTTPS? > www.rust-lang.org <http://www.rust-lang.org> is hosted using GithubPages > on a custom domain. Unfortunately, GithubPages doesn't allow HTTPS for > custom domains, which is a pity. However, by using GithubPages any pull > requests merged into the repo are immediately reflected on > www.rust-lang.org <http://www.rust-lang.org>. Also, GithubPages provides > DDOS protection and is provided free of charge to open source projects > like Rust. So, all things considered, this seems like the best course of > action currently. > > Cheers, > Bryce
That's not going to help because you're still downloading the compiler snapshots over HTTP.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Rust-dev mailing list Rust-dev@mozilla.org https://mail.mozilla.org/listinfo/rust-dev
