Recent searches
Search options
Hey @bagder, I was wondering about the default Rust install command:
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
Is the restriction on --proto to =https strictly required? Will curl switch to http even given an https URL?
Is the restriction to TLSv1.2 strictly required? Will curl downgrade to TLSv1.1 or SSLv3 if the server suggests it?
The -s and -S are fine, but I'd probably live with the stderr output for the sake of command brevity. The -f seems reasonable though.
@thejpster curl would not switch protocol unless there is a redirect and you tell curl to follow it. Which this command line does not. The TLS protocol version looks weird to me, as presumably if this is important, why does the server even offer anything lower?
@bagder @thejpster Presumably the concern here would be a MITM attack with a protocol downgrade.
@thejpster @unlambda exactly what I thought.
@bagder @thejpster @unlambda I would assume it's just about not wanting to trust that a non malicious admin doesn't accidentally reconfigure the server, put it behind some.misconfigured CDN or DDoS protection service, etc.
@bagder @thejpster @unlambda Lots of "trust" people disregard is trusting well-meaning ppl not to slip up and expose you to bad actors. It's not just a matter of whether you trust them not to be evil themselves. I usually frame things this way when explaining to someone why I can't just trust their service because it avoids questioning their integrity.
@dalias @thejpster @unlambda but is insisting on TLS 1.2 client side really helping for this?
@bagder @thejpster @unlambda If there are attacks that become possible when pre-1.2 is accepted.