From 38b803acf98cdfc0338e33a2772dc24dda03725a Mon Sep 17 00:00:00 2001
From: Keegan McAllister
Date: Tue, 29 Jan 2013 13:28:13 -0500
Subject: Fix insecure 'curl' command in install instructions

Fixes two issues:

- curl was given -k aka --insecure, which causes it to ignore SSL certificate
  errors. This makes SSL nearly useless against active tampering.

- curl was given a URL with no protocol, causing it to default to unencrypted
  HTTP.  An active attacker can filter out GitHub's HTTPS redirect or modify
  the response in arbitrary other ways.

Either of these issues makes it quite easy for an active attacker, anywhere on
the network between GitHub and the person installing Homebrew, to insert
malicious code. Since this code goes straight into the ruby interpreter, this
is a one-step compromise of the user's machine.

Since the command got longer, shrink the font so that it still fits in the page
column (at maximum width) without scrolling.

On 10.5 the curl command can fail due to missing SSL certs.  Add a note to look
at the alternate install instructions on the wiki, which now mention curl
--insecure .

Signed-off-by: Jack Nagel <jacknagel@gmail.com>
---
 css/screen.css | 2 +-
 index.html     | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/css/screen.css b/css/screen.css
index 564ae48d8..2967f3688 100644
--- a/css/screen.css
+++ b/css/screen.css
@@ -102,7 +102,7 @@ pre code {
 }
 
 #selectable {
-  font-size: 1.9em;
+  font-size: 1.6em;
 }
 
 /*}}}*/
diff --git a/index.html b/index.html
index 08ff9a7ec..32c58d438 100644
--- a/index.html
+++ b/index.html
@@ -118,12 +118,12 @@ Created /usr/local/Library/Formula/bar.rb
           <li>
             <div class="group row">
               <h2>Install Homebrew</h2>
-              <pre style='clear:both;text-align:center;margin:0 -3em;margin-bottom:0.9em'><code id='selectable' onclick="selectText()">ruby -e &quot;$(curl -fsSkL raw.github.com/mxcl/homebrew/go)&quot;</code></pre>
+              <pre style='clear:both;text-align:center;margin:0 -3em;margin-bottom:0.9em'><code id='selectable' onclick="selectText()">ruby -e &quot;$(curl -fsSL https://raw.github.com/mxcl/homebrew/go)&quot;</code></pre>
               <div class="col-1">
                 <p>Paste that at a Terminal prompt.</p>
               </div>
               <div class="col-2">
-                <p>The script explains what it will do and then pauses before it does it. There are more installation options <a href='https://github.com/mxcl/homebrew/wiki/Installation'>here</a>.
+                <p>The script explains what it will do and then pauses before it does it. There are more installation options <a href='https://github.com/mxcl/homebrew/wiki/Installation'>here</a> (needed on 10.5).
               </div>
             </div>
           </li>
-- 
cgit v1.2.3