Hacker News new | ask | show | jobs
by Argorak 4488 days ago
Um. Don't run the installation instructions.

While the download itself is served using https (from amazon), curl will contact the google url shortener using HTTP. Honestly, if I wanted to MITM one thing on any network, URL shorteners would come first.

Edit: The website switched from googles link shortener to git.io (http) and download to github downloads. git.io's https version seems to have certificate issues.

    > curl https://git.io/lOQWeA -vvv
    ...
    * SSL certificate problem: Invalid certificate chain
    ...
3 comments
derefr 4488 days ago
> While the download itself is served using https (from amazon), curl will contact the google url shortener using HTTP.

Whoever wrote the installation instructions here should take a page from Sublime Package Control's installation instructions:

> The download will be done over HTTP instead of HTTPS due to Python standard library limitations, however the file will be validated using SHA-256.

> WARNING: Please do not redistribute the install code via another website. [Because of the embedded SHA-256 digest, the installation code] will change with every release. Instead, please link to this page.

[1] https://sublime.wbond.net/installation

link
drtse4 4488 days ago
If someone is wondering, the short url points to the latest release tgz, at the moment to https://github.com/supermarin/Alcatraz/releases/download/1.0...
link
Argorak 4488 days ago
Yep. The original post contained the links, but fell through the spam filter ;).
link
mneorr 4488 days ago
The plan is to use github releases from now on, and shorten using git.io
link
teacup50 4488 days ago
Why does this link need to be shortened at all?
link
mneorr 4488 days ago
Since the original one is really long; would make the install script even less readable.

Also, git.io allows only shortening github repos; so there should be no harm

link
teacup50 4488 days ago
> Since the original one is really long; would make the install script even less readable.

Really?

Who do you think your target audience is? I'm sorry, but this is not "really long":

    https://github.com/supermarin/Alcatraz/releases/download/1.0.1/Alcatraz.tar.gz
If you're telling people to run random commands in their terminal that lead to local code execution, then you should trust that they can read a goddamn URL.

If you don't think your user base can read URLs, then you shouldn't be telling them to launch the terminal and run your code.

link
Argorak 4488 days ago
You are providing an HTTP link to git.io, so it cannot be verified whether I am connecting to the real git.io. This means an attacker can fake himself being git.io very easily (a classic man-in-the-middle attack).

It doesn't matter if git.io can only shorten git urls, as git.io will never be involved in a potential attack.

Using a link shortener is okay, but use one that supports HTTPS.

link