well. piping shell script to rootshell is not safe even with https .. Eero
2017-04-10 19:59 GMT+03:00 Dawid Bałut <[email protected]>: > Hello Community, > > I noticed that on http://www.openvas.org/install-packages-v7.html we're > encouraging users to wget script from atomiccorp website using http. > As we know this is potential Man in the Middle attack vector, and we > shouldn't spread such bad practice - especially that atomiccorp website and > given resource are available thru https:// so I can't see a reason to use > http. > > So my inquiry is - can you please change in the guide > wget -q -O - http://www.atomicorp.com/installers/atomic |sh > to > wget -q -O - https://www.atomicorp.com/installers/atomic |sh > ? > To make it clear for everyone why I'm concerned by it: > 1. We ask users to fetch it with super user privileges, so if this request > is MiTM'd, it can completely compromise end user machine and for corporate > environments that's a disaster. > 2. We're talking about security software here so we should be a good > example for others. > FYI: The script itself downloads RPM keys via https so in there > everything is fine and the only problem I see is related to the mentioned > instruction in installation guide. > > The scale of the problem is much bigger as I can see the same practice in > here: > http://www.openvas.org/install-packages-v6.html and other wiki pages. > where not only the plaintext wget | sh is encouraged, but also downloading > RPM keys from static URLs is happening via plaintext HTTP(websites hosting > repo keys are in general available with https, so we should leverage it > wherever possible) > Example: > wget http://download.opensuse.org/repositories/security:/ > OpenVAS:/UNSTABLE:/v6/Debian_7.0/Release.key > > Appreciate your help and feedback on this. > > Love, > Dawid Bałut <https://www.linkedin.com/in/dawidbalut> > Founder of InfoSec Remedy <https://infosecremedy.blogspot.com/> > Blogger at dawidbalut.blogspot.com > > _______________________________________________ > Openvas-discuss mailing list > [email protected] > https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss >
_______________________________________________ Openvas-discuss mailing list [email protected] https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
