On Tuesday 11 December 2007, Michael Quick wrote: > [EMAIL PROTECTED] wrote: > > On Dec 11, 2007 12:30 AM, Porkchop <[EMAIL PROTECTED]> wrote: > >> Yes, I realize you assumed he was using a public internet site he has no > >> control over rather than an intranet server. But he didn't tell us that. > > > > Again, HTTP is so easily spoofable that even people that ask for help > > about bash can do it. If he's on an intranet so large as to require > > automated installation solutions, then there's a fairly good chance, I > > think, that there are other people on the network besides him. The > > moment you add another person into the equation, the network should > > now be assumed compromised; I may be being a bit pessimistic here, but > > we're talking about "Administrator" priviledges. > > Probably the best response to the "security issue" would be to just use > HTTPS (ie. curl https://host/file.sh). Users will have to trust scripts > anyway, there is little risk.
Just one obvious snag: you need a signed SSL certificate. That means either making your own self-signed cert (or your own CA) and deploying it to all of the boxes, or purchasing a certificate that's signed by a known CA. Either way it's kind of a pain in the neck. But assuming you can deal with that it's definitely a better solution; the traffic won't be totally in the clear, and there's some way of verifying the authenticity of source. -- Chris -- Chris Knadle [EMAIL PROTECTED]
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Mid-Hudson Valley Linux Users Group http://mhvlug.org http://mhvlug.org/cgi-bin/mailman/listinfo/mhvlug Upcoming Meetings (6pm - 8pm) MHVLS Auditorium Dec 5 - Open Source Show and Tell Jan 2 - TBD Feb 6 - DBUS Mar 5 - Setting up a platform-independent home/small office network using Linux
