n-st/nench

HTTPS

Kagami opened this issue · 1 comments

Kagami commented

Downloading executable code over HTTP is probably not the best idea.

One can download from https://github.com/n-st/nench/raw/master/nench.sh instead, but the script also downloads ioping binary over HTTP.

n-st commented

Hi and thank you for your suggestion!

I've thought about this for a long time, hence the late reply…
It would be nice to have the option to use HTTPS, but I'd rather not make it compulsory, which complicates things:

  • Compulsory HTTPS would introduce additional requirements (SSL support and preferably a database of trusted CA certificates).
  • Optional HTTPS support would require either
    • two versions of the script with different hardcoded URLs (the way it is done now), or
    • a way to automatically detect over which protocol the script was downloaded and use the same protocol for the ioping download (which would probably require a dynamic components on the webserver), or
    • a commandline argument to switch between HTTP and HTTPS downloads (and a decision which should be the default without an argument).
  • In any case, I would have to set up and maintain a TLS certificate on the machine that is currently hosting wget.racing — which isn't a lot of effort, but certainly more than the current "set-and-forget" HTTP server.

Considering that this script is a benchmark tool that is meant to be run infrequently and not in production, I don't think it is worth the hassle to safeguard against the rather infrequent threat of intercepted HTTP connections.
For any cases where it would be used repeatedly, it would be more efficient to clone the Git repository and install ioping via your distribution's packaging mechanism.

If you feel that I have misinterpreted your use case, please do let me know!