diff options
| author | Keegan McAllister | 2013-01-29 13:28:13 -0500 |
|---|---|---|
| committer | Jack Nagel | 2013-02-05 16:21:46 -0600 |
| commit | 38b803acf98cdfc0338e33a2772dc24dda03725a (patch) | |
| tree | 39b211bfa6f242bacc1e52e29eb648865b4edaad | |
| parent | 3b1675560b971f1ed353230b67acd02d082a1761 (diff) | |
| download | homebrew-38b803acf98cdfc0338e33a2772dc24dda03725a.tar.bz2 | |
Fix insecure 'curl' command in install instructions
Fixes two issues:
- curl was given -k aka --insecure, which causes it to ignore SSL certificate
errors. This makes SSL nearly useless against active tampering.
- curl was given a URL with no protocol, causing it to default to unencrypted
HTTP. An active attacker can filter out GitHub's HTTPS redirect or modify
the response in arbitrary other ways.
Either of these issues makes it quite easy for an active attacker, anywhere on
the network between GitHub and the person installing Homebrew, to insert
malicious code. Since this code goes straight into the ruby interpreter, this
is a one-step compromise of the user's machine.
Since the command got longer, shrink the font so that it still fits in the page
column (at maximum width) without scrolling.
On 10.5 the curl command can fail due to missing SSL certs. Add a note to look
at the alternate install instructions on the wiki, which now mention curl
--insecure .
Signed-off-by: Jack Nagel <jacknagel@gmail.com>
| -rw-r--r-- | css/screen.css | 2 | ||||
| -rw-r--r-- | index.html | 4 |
2 files changed, 3 insertions, 3 deletions
diff --git a/css/screen.css b/css/screen.css index 564ae48d8..2967f3688 100644 --- a/css/screen.css +++ b/css/screen.css @@ -102,7 +102,7 @@ pre code { } #selectable { - font-size: 1.9em; + font-size: 1.6em; } /*}}}*/ diff --git a/index.html b/index.html index 08ff9a7ec..32c58d438 100644 --- a/index.html +++ b/index.html @@ -118,12 +118,12 @@ Created /usr/local/Library/Formula/bar.rb <li> <div class="group row"> <h2>Install Homebrew</h2> - <pre style='clear:both;text-align:center;margin:0 -3em;margin-bottom:0.9em'><code id='selectable' onclick="selectText()">ruby -e "$(curl -fsSkL raw.github.com/mxcl/homebrew/go)"</code></pre> + <pre style='clear:both;text-align:center;margin:0 -3em;margin-bottom:0.9em'><code id='selectable' onclick="selectText()">ruby -e "$(curl -fsSL https://raw.github.com/mxcl/homebrew/go)"</code></pre> <div class="col-1"> <p>Paste that at a Terminal prompt.</p> </div> <div class="col-2"> - <p>The script explains what it will do and then pauses before it does it. There are more installation options <a href='https://github.com/mxcl/homebrew/wiki/Installation'>here</a>. + <p>The script explains what it will do and then pauses before it does it. There are more installation options <a href='https://github.com/mxcl/homebrew/wiki/Installation'>here</a> (needed on 10.5). </div> </div> </li> |