Skip to content

Loading…

https://get.pow.cx instead of http://get.pow.cx #350

Open
pooriaazimi opened this Issue · 5 comments

5 participants

@pooriaazimi

TL;DR: Why don't you serve the source code from https://get.pow.cx?


Hi!

I searched issues (and when GitHub search found nothing, looked at all issues manually) and didn't find anything relevant.

Why isn't there a https://get.pow.cx? We're supposed to curl get.pow.cx | sh and then enter our admin passwords. It means that quite literally, we're running whatever the junk the insecure server at get.pow.cx:80 (or, whatever resolves to that address in our network) might return as a shell script, as the admin user! I don't know about you, but it really gives me the chills...

Unless I'm terribly mistaken, an attacker (be it the government or a rogue sysadmin in, say, college dorm or coffee-shop, or any unlikely, but nevertheless possible attacker) can now serve a totally bogus script and own our computer.

I know, we can download the source from the website, validate that it's not harmful, save it as pow-install.sh and then do ./pow-install.sh, but I think it's silly, when we (37signals, actually) can just purchase an SSL certificate (from a CA that curl has no problem with) and serve the source securely?

So my question is this: why just not provide a more secure, https://get.pow.cx version of the source, and change the install instructions to curl https://get.pow.cx | sh?

@tilsammans

Agreed. I would happily pay for the certificate.

@guidobouman

I'd chip in as well.

@shreve

While @sstephenson owns pow.cx, this is a @37signals project. They're a business with money, so I'd suggest taking this up with them.

@tveastman

This is unsafe, and disappointing to see that, in December 2015, you are still asking users to run code directly from a non https URL.

For reference, here's what happened to Cisco a few days ago for using the same mechanism:

http://wadofstuff.blogspot.com.au/2015/11/cve-2015-6357-firepwner-exploit-for.html

@shreve

I'm not sure if it was an option in 2013, but CloudFlare offers an SSL certificate with their free plan. I'm sure @basecamp can afford an SSL cert, but the fact that a good free solution exists makes this kind of ridiculous.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.