https://get.pow.cx instead of http://get.pow.cx #350
Comments
Agreed. I would happily pay for the certificate. |
I'd chip in as well. |
While @sstephenson owns pow.cx, this is a @37signals project. They're a business with money, so I'd suggest taking this up with them. |
This is unsafe, and disappointing to see that, in December 2015, you are still asking users to run code directly from a non https URL. For reference, here's what happened to Cisco a few days ago for using the same mechanism: http://wadofstuff.blogspot.com.au/2015/11/cve-2015-6357-firepwner-exploit-for.html |
I'm not sure if it was an option in 2013, but CloudFlare offers an SSL certificate with their free plan. I'm sure @basecamp can afford an SSL cert, but the fact that a good free solution exists makes this kind of ridiculous. |
If pow maintainers don't want to bother setting up free Cloudflare SSL cert, just update the documentation to install from github source, like this (just update the path to the latest released version instead of latest master)
It secures pow users, and more importantly it shows that basecamp developers actually understand security and care about it. |
Actually ignore what I said, if the pow.cx site is not secure I guess the content can't be trusted. So just get rid of pow.cx domain and use github for everything or setup free CloudFlare cert for *.pow.cx |
TL;DR: Why don't you serve the source code from https://get.pow.cx?
Hi!
I searched issues (and when GitHub search found nothing, looked at all issues manually) and didn't find anything relevant.
Why isn't there a
https://get.pow.cx
? We're supposed tocurl get.pow.cx | sh
and then enter our admin passwords. It means that quite literally, we're running whatever the junk the insecure server atget.pow.cx:80
(or, whatever resolves to that address in our network) might return as a shell script, as the admin user! I don't know about you, but it really gives me the chills...Unless I'm terribly mistaken, an attacker (be it the government or a rogue sysadmin in, say, college dorm or coffee-shop, or any unlikely, but nevertheless possible attacker) can now serve a totally bogus script and own our computer.
I know, we can download the source from the website, validate that it's not harmful, save it as
pow-install.sh
and then do./pow-install.sh
, but I think it's silly, when we (37signals, actually) can just purchase an SSL certificate (from a CA that curl has no problem with) and serve the source securely?So my question is this: why just not provide a more secure,
https://get.pow.cx
version of the source, and change the install instructions tocurl https://get.pow.cx | sh
?The text was updated successfully, but these errors were encountered: