zlacker

[return to "Detecting the use of "curl | bash" server-side"]
1. cjbpri+e2[view] [source] 2018-07-29 02:26:42
>>rubyn0+(OP)
Neat! But it's not obviously a bad idea. You have a TLS connection with the site you're downloading from. `curl | bash` is no worse than downloading a .dmg or .deb from the same server would be.
◧◩
2. schoen+i3[view] [source] 2018-07-29 02:48:46
>>cjbpri+e2
> You have a TLS connection with the site you're downloading from. `curl | bash` is no worse than downloading a .dmg or .deb from the same server would be.

This site's argument is that the software publisher can selectively attack users during a live software install, in a way that they don't stand a chance of detecting by inspection (or of having proof of after the fact).

◧◩◪
3. window+d7[view] [source] 2018-07-29 04:14:19
>>schoen+i3
>in a way that they don't stand a chance of detecting by inspection (or of having proof of after the fact)

What do you mean? They could `tee` curl output to a file (or elsewhere, for archives). They could also suspend passing the output to bash until they've verified the output (perhaps they would run a hash function and compare the result).

◧◩◪◨
4. Cyphas+v7[view] [source] 2018-07-29 04:21:22
>>window+d7
Then that wouldn't be 'curl | bash'.
◧◩◪◨⬒
5. window+X7[view] [source] 2018-07-29 04:30:34
>>Cyphas+v7
curl | ... bash
◧◩◪◨⬒⬓
6. schoen+S8[view] [source] 2018-07-29 04:53:19
>>window+X7
The point of the article is apparently that the server can distinguish "curl | ... | bash" from "curl | bash".
[go to top]