zlacker

[return to "The browser catches homograph attacks, the terminal doesn't"]
1. accoun+2Z3[view] [source] 2026-02-04 13:54:38
>>MrBudd+(OP)
> curl -sSL https://install.example-cli.dev | bash # safe

This is not and has never been safe.

◧◩
2. digita+VZ3[view] [source] 2026-02-04 14:00:16
>>accoun+2Z3
It's about as safe as trusting all the add-ons in your IDE, and all the packages your node app pulls from random package repos.

It's just the plausible blame that shifts.

If you read the script before you pipe it into your shell, it's safe.

And if that's not safe, then it's just as dangerous to trust that an unopened bottle of ketchup is safe.

Nothing is safe. Everything is a judgement. Being culpable is a professional service. Lucky people out-earn unlucky people. The world is a scary place.

◧◩◪
3. zzo38c+Nia[view] [source] 2026-02-06 07:32:23
>>digita+VZ3
> If you read the script before you pipe it into your shell, it's safe.

If you download it first before executing it (instead of downloading it a second time when executing it), then that mitigates one problem, but still not all of them (like you mention). Other mitigations are also possible, such as hashing, certificate pinning, sandboxing, etc.

◧◩◪◨
4. Epa095+rna[view] [source] 2026-02-06 08:22:33
>>zzo38c+Nia
This is a good point. Made me think about how I will usually read if first, but in the browser. And it's easy for the server to check the user agent, and serve me a different version in the browser!
◧◩◪◨⬒
5. kreetx+qLa[view] [source] 2026-02-06 12:13:09
>>Epa095+rna
Yup. The script that you execute should literally be the one that you read. (I.e, no downloading twice)
[go to top]