[cmeacham98]

Update: Checked the script, and not only does their official installer not verify the download at all - it immediately executes it.

Therefore, it's trivially possible to RCE someone running this script you are MITMing - block all the HTTPS connections, and then replace the binary in the HTTP connection with malware.

Frankly this vulnerability is so obvious and so negligent that I would never use this tool, which is unfortunate as it sounds like a cool idea.

[liquidpele]

I feel you’ve missed the point. They’re not trying to use https, they can’t, they are downloading tools that only exist online as https links from a legacy system that only supports http. They simply couldn’t download jack shit and came up with a way to do it.

[account42]

If you can get the insecure bash script onto the system you can also get a bundle with a more secure downloader (or even better, the binaries to be installed) on the system in the same way. Even if you are limited to copy and pasting ASCII text, shell archives are a thing as are a myriad of other possible solutions that do not involve downloading a binary over plain HTTP without any verification.

[cmeacham98]

I think you've missed the point. Even on systems where HTTPS is normally available an attacker in the middle can trivially cause their official installer script to download and run malware by just blocking a few HTTPS connections.

This is the DEFAULT fallback behavior in their installer - not something that only happens on legacy machines.

If I install a project from GitHub on the airport WiFi I'm assuming that the authors know what they're doing and I'm not potentially getting silently MITMed. And when I find out the authors don't know what they're doing to this extreme extent, I note down to never use their project.