Discussion:
[rust-dev] Accessing Rustup.sh Securely
Bryce Fisher-Fleig
2014-08-03 19:04:13 UTC
Permalink
Dear RustLangers,

TL;DR::
Only access rustup.sh at
https://raw.githubusercontent.com/rust-lang/rust-www/gh-pages/rustup.sh and
NOT at www.rust-lang.org.

Full Story::
If you're like me, you love the convenience of getting the lastest version
of the rust compiler and cargo updated via rustup.sh. However, this script
is delivered insecurely over HTTP.

HTTP by itself provides no guarrantees that the content sent by the server
is the same as content received by client. Eric Butler created a firefox
extension called Firesheep that allows you to hijack any insecure session
cookies available on any computer on the wifi network [
http://codebutler.com/firesheep/]. Joel Weinberger of the Google Chrome
security team recently explained how any content delivered over HTTP can be
changed by a malicious or compromised router between you and the server [


Why is this a problem for rustup.sh? Because we're encouraged to curl
rustup.sh and pipe the result to sudo. The problem is that an infected or
compromised router could insert malware into rustup.sh and run that code as
root. Now you no longer own your computer.

What's the fix? ONLY ACCESS RUSTUP.SH OVER HTTPS. HTTPS more-or-less
guarrantees that the content sent from the server is what is delivered to
the client. Fortunately, github delivers all it's content securely over
HTTPS. You can have a high degree of confidence by simply accessing
rustup.sh from
https://raw.githubusercontent.com/rust-lang/rust-www/gh-pages/rustup.sh

Why don't the maintainers of www.rust-lang.org deliver all the content over
HTTPS? www.rust-lang.org is hosted using GithubPages on a custom domain.
Unfortunately, GithubPages doesn't allow HTTPS for custom domains, which is
a pity. However, by using GithubPages any pull requests merged into the
repo are immediately reflected on www.rust-lang.org. Also, GithubPages
provides DDOS protection and is provided free of charge to open source
projects like Rust. So, all things considered, this seems like the best
course of action currently.

Cheers,
Bryce
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/rust-dev/attachments/20140803/8dad96cd/attachment.html>
Erick Tryzelaar
2014-08-03 19:07:04 UTC
Permalink
Thanks for this. If anyone wants to track our progress securing
rust-lang.org, you can follow this issue:

https://github.com/rust-lang/rust/issues/16123


On Sun, Aug 3, 2014 at 12:04 PM, Bryce Fisher-Fleig <bryce at fisher-fleig.org>
Post by Bryce Fisher-Fleig
Dear RustLangers,
Only access rustup.sh at
https://raw.githubusercontent.com/rust-lang/rust-www/gh-pages/rustup.sh
and NOT at www.rust-lang.org.
If you're like me, you love the convenience of getting the lastest version
of the rust compiler and cargo updated via rustup.sh. However, this script
is delivered insecurely over HTTP.
HTTP by itself provides no guarrantees that the content sent by the server
is the same as content received by client. Eric Butler created a firefox
extension called Firesheep that allows you to hijack any insecure session
cookies available on any computer on the wifi network [
http://codebutler.com/firesheep/]. Joel Weinberger of the Google Chrome
security team recently explained how any content delivered over HTTP can be
changed by a malicious or compromised router between you and the server [
http://youtu.be/X1ZFjOZMSQg
Why is this a problem for rustup.sh? Because we're encouraged to curl
rustup.sh and pipe the result to sudo. The problem is that an infected or
compromised router could insert malware into rustup.sh and run that code as
root. Now you no longer own your computer.
What's the fix? ONLY ACCESS RUSTUP.SH OVER HTTPS. HTTPS more-or-less
guarrantees that the content sent from the server is what is delivered to
the client. Fortunately, github delivers all it's content securely over
HTTPS. You can have a high degree of confidence by simply accessing
rustup.sh from
https://raw.githubusercontent.com/rust-lang/rust-www/gh-pages/rustup.sh
Why don't the maintainers of www.rust-lang.org deliver all the content
over HTTPS? www.rust-lang.org is hosted using GithubPages on a custom
domain. Unfortunately, GithubPages doesn't allow HTTPS for custom domains,
which is a pity. However, by using GithubPages any pull requests merged
into the repo are immediately reflected on www.rust-lang.org. Also,
GithubPages provides DDOS protection and is provided free of charge to open
source projects like Rust. So, all things considered, this seems like the
best course of action currently.
Cheers,
Bryce
_______________________________________________
Rust-dev mailing list
Rust-dev at mozilla.org
https://mail.mozilla.org/listinfo/rust-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/rust-dev/attachments/20140803/cd5b339c/attachment.html>
Bryce Fisher-Fleig
2014-08-03 19:15:34 UTC
Permalink
Thanks for pointing me to this issue!! I opened a similar issue on rust-www
and got no responses for days.

I've actually setup SSL + CloudFront for my own blog and I have some
experience with this.


On Sun, Aug 3, 2014 at 12:07 PM, Erick Tryzelaar <erick.tryzelaar at gmail.com>
Post by Erick Tryzelaar
Thanks for this. If anyone wants to track our progress securing
https://github.com/rust-lang/rust/issues/16123
On Sun, Aug 3, 2014 at 12:04 PM, Bryce Fisher-Fleig <
Post by Bryce Fisher-Fleig
Dear RustLangers,
Only access rustup.sh at
https://raw.githubusercontent.com/rust-lang/rust-www/gh-pages/rustup.sh
and NOT at www.rust-lang.org.
If you're like me, you love the convenience of getting the lastest
version of the rust compiler and cargo updated via rustup.sh. However, this
script is delivered insecurely over HTTP.
HTTP by itself provides no guarrantees that the content sent by the
server is the same as content received by client. Eric Butler created a
firefox extension called Firesheep that allows you to hijack any insecure
session cookies available on any computer on the wifi network [
http://codebutler.com/firesheep/]. Joel Weinberger of the Google Chrome
security team recently explained how any content delivered over HTTP can be
changed by a malicious or compromised router between you and the server [
http://youtu.be/X1ZFjOZMSQg
Why is this a problem for rustup.sh? Because we're encouraged to curl
rustup.sh and pipe the result to sudo. The problem is that an infected or
compromised router could insert malware into rustup.sh and run that code as
root. Now you no longer own your computer.
What's the fix? ONLY ACCESS RUSTUP.SH OVER HTTPS. HTTPS more-or-less
guarrantees that the content sent from the server is what is delivered to
the client. Fortunately, github delivers all it's content securely over
HTTPS. You can have a high degree of confidence by simply accessing
rustup.sh from
https://raw.githubusercontent.com/rust-lang/rust-www/gh-pages/rustup.sh
Why don't the maintainers of www.rust-lang.org deliver all the content
over HTTPS? www.rust-lang.org is hosted using GithubPages on a custom
domain. Unfortunately, GithubPages doesn't allow HTTPS for custom domains,
which is a pity. However, by using GithubPages any pull requests merged
into the repo are immediately reflected on www.rust-lang.org. Also,
GithubPages provides DDOS protection and is provided free of charge to open
source projects like Rust. So, all things considered, this seems like the
best course of action currently.
Cheers,
Bryce
_______________________________________________
Rust-dev mailing list
Rust-dev at mozilla.org
https://mail.mozilla.org/listinfo/rust-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/rust-dev/attachments/20140803/93d64326/attachment.html>
Bryce Fisher-Fleig
2014-08-03 19:52:37 UTC
Permalink
Pardon my slowness -- I'm having trouble figuring out where the repo for
doc.rust-lang.org is located so I can make a PR. Can someone point me in
the right direction?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/rust-dev/attachments/20140803/187fca4e/attachment.html>
Evan G
2014-08-03 19:54:53 UTC
Permalink
The rust documentation is generated from the rust repo and source code.


On Sun, Aug 3, 2014 at 2:52 PM, Bryce Fisher-Fleig <bryce at fisher-fleig.org>
Post by Bryce Fisher-Fleig
Pardon my slowness -- I'm having trouble figuring out where the repo for
doc.rust-lang.org is located so I can make a PR. Can someone point me in
the right direction?
_______________________________________________
Rust-dev mailing list
Rust-dev at mozilla.org
https://mail.mozilla.org/listinfo/rust-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/rust-dev/attachments/20140803/96fd2333/attachment.html>
Daniel Micay
2014-08-03 21:12:04 UTC
Permalink
Post by Bryce Fisher-Fleig
Dear RustLangers,
Only access rustup.sh at
https://raw.githubusercontent.com/rust-lang/rust-www/gh-pages/rustup.sh
and NOT at www.rust-lang.org <http://www.rust-lang.org>.
If you're like me, you love the convenience of getting the lastest
version of the rust compiler and cargo updated via rustup.sh. However,
this script is delivered insecurely over HTTP.
HTTP by itself provides no guarrantees that the content sent by the
server is the same as content received by client. Eric Butler created a
firefox extension called Firesheep that allows you to hijack any
insecure session cookies available on any computer on the wifi network
[http://codebutler.com/firesheep/]. Joel Weinberger of the Google Chrome
security team recently explained how any content delivered over HTTP can
be changed by a malicious or compromised router between you and the
server http://youtu.be/X1ZFjOZMSQg
Why is this a problem for rustup.sh? Because we're encouraged to curl
rustup.sh and pipe the result to sudo. The problem is that an infected
or compromised router could insert malware into rustup.sh and run that
code as root. Now you no longer own your computer.
What's the fix? ONLY ACCESS RUSTUP.SH OVER HTTPS. HTTPS more-or-less
guarrantees that the content sent from the server is what is delivered
to the client. Fortunately, github delivers all it's content securely
over HTTPS. You can have a high degree of confidence by simply accessing
rustup.sh from
https://raw.githubusercontent.com/rust-lang/rust-www/gh-pages/rustup.sh
Why don't the maintainers of www.rust-lang.org
<http://www.rust-lang.org> deliver all the content over HTTPS?
www.rust-lang.org <http://www.rust-lang.org> is hosted using GithubPages
on a custom domain. Unfortunately, GithubPages doesn't allow HTTPS for
custom domains, which is a pity. However, by using GithubPages any pull
requests merged into the repo are immediately reflected on
www.rust-lang.org <http://www.rust-lang.org>. Also, GithubPages provides
DDOS protection and is provided free of charge to open source projects
like Rust. So, all things considered, this seems like the best course of
action currently.
Cheers,
Bryce
That's not going to help because you're still downloading the compiler
snapshots over HTTP.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://mail.mozilla.org/pipermail/rust-dev/attachments/20140803/f073c3f5/attachment.sig>
Diggory Hardy
2014-08-04 05:38:20 UTC
Permalink
Which is why I don't use it.

A third point is that root access is really not required; e.g. I usually
install software into /home/install/NAME and then do no more than create links
to the binaries from my own bin folder.

Of course, that doesn't remove the need to validate the downloaded files.
Post by Daniel Micay
Post by Bryce Fisher-Fleig
Dear RustLangers,
Only access rustup.sh at
https://raw.githubusercontent.com/rust-lang/rust-www/gh-pages/rustup.sh
and NOT at www.rust-lang.org <http://www.rust-lang.org>.
That's not going to help because you're still downloading the compiler
snapshots over HTTP.
Loading...