zlacker

[return to "Detecting the use of "curl | bash" server-side"]
1. cjbpri+e2[view] [source] 2018-07-29 02:26:42
>>rubyn0+(OP)
Neat! But it's not obviously a bad idea. You have a TLS connection with the site you're downloading from. `curl | bash` is no worse than downloading a .dmg or .deb from the same server would be.
◧◩
2. vbezhe+p2[view] [source] 2018-07-29 02:30:38
>>cjbpri+e2
deb/rpm is better because it's usually signed by maintainer with GPG keys. I think that it's harder to steal keys from maintainer than to infiltrate web server.
◧◩◪
3. cjbpri+r3[view] [source] 2018-07-29 02:52:00
>>vbezhe+p2
For the most part you receive the GPG keys over the same TLS connection, though.
◧◩◪◨
4. sigjui+a4[view] [source] 2018-07-29 03:04:15
>>cjbpri+r3
Not sure what you mean. I don’t think apt-get install foo involves transferring GPG keys.
◧◩◪◨⬒
5. cjbpri+05[view] [source] 2018-07-29 03:20:26
>>sigjui+a4
We're comparing the security properties of

`curl https://somesite.com/foo.sh | bash`

with

`curl https://somesite.com/foo.deb`

and

`curl https://somesite.com/apt.key | sudo apt-key add - && sudo apt-get update && sudo apt-get install some-software`

I don't think there are very meaningful differences in the security properties -- I don't think it's more difficult to become compromised by one than by one of the others.

[go to top]