Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Recommended installation method is vulnerable to man in the middle attack #182

Open
bddap opened this issue Mar 7, 2023 · 1 comment
Open

Recommended installation method is vulnerable to man in the middle attack #182

bddap opened this issue Mar 7, 2023 · 1 comment

Comments

@bddap
Copy link

bddap commented Mar 7, 2023

On https://zellij.dev there is instructions to "Try Zellij Without Installing"

This is the script:

bash <(curl -L zellij.dev/launch)

curl uses http by default so the initial request will not be protected. Since the -L flag is provided, curl eventually follows the redirect to the https version.

Its pretty easy in certain situations to intercept the initial http request and provide a potentially malicious script.

Users should use https instead:

bash <(curl -L https://zellij.dev/launch)

When using https, the -L flag is no longer needed:

bash <(curl https://zellij.dev/launch)

This applies to the bash and fish instructions in this repo, as well as the instructions in the main zellij repo
@bddap bddap mentioned this issue Mar 7, 2023
Open
@sh1boot sh1boot mentioned this issue Feb 20, 2024
Closed
@sh1boot
Copy link

sh1boot commented Feb 21, 2024

Harden curl against this with this in ~/.curlrc:

--proto-default https

One should probably also add something to the effect of:

--hsts $HOME/.cache/curl/hsts.txt

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bddap @sh1boot