Please provide a more secure way to download / install!

Question

Please provide a more secure way to download / install!

Closed this issue 9 years ago · 9 comments

The current installation works by downloading and running several shell scripts over a completely unauthenticated connection which makes it very easy for an attacker to serve malicious scripts instead. This poses a huge security and privacy risk to your users, especially considering some of the scripts are expected to be ran with sudo!

Please fix this by adding certificate(s) to your server(s), updating your scripts to authenticate the server connection and updating your installation instructions (e.g. tell users to use curl with the --cacert option or tell them to check the first script they download and use the option in there).

Answer 1 · 2016-04-02T18:10:57.000Z

Seems a very reasonable request to want HTTPS. One for @Gadgetoid to think about. Maybe re-open at https://github.com/pimoroni/get where the scripts actually live?

Answer 2 · 2016-04-02T20:14:55.000Z

If the scripts are actually hosted there, you could even base the authentication on the Github cert. No need to get and pay for your own.

Answer 3 · 2016-04-04T10:15:11.000Z

It's a tricky balance. Security introduces complexity, and the purpose of a simple installer script is to be simple. Even having to type "|" is a barrier to some users. I'm not sure whether or not the "--cacert" option is required, but it certainly doesn't help the succinctness of the command.

The counter argument is that the cat is pretty much out of the bag on the Pi anyway, the "Pi" user has a well-known default password and unfettered access to "root". It already employs a strategy of security through obscurity.

That said, I'll look in to getting an SSL cert for get.pimoroni.com, because best practice is best practice and no amount of shortfall in any other avenue should excuse not being rigorous everywhere else.

If I'm honest, I don't like the "curl pipe bash" way of distributing software, but it's quick and convenient for the end-user, and for the developer since it doesn't involve any arcane packing techniques or distribution methods. On the flip side, it's fragile and prone to potential unexpected failures: https://www.seancassidy.me/dont-pipe-to-your-shell.html

Sheesh... I prattle on ;)

Answer 4 · 2016-04-04T10:59:31.000Z

Boom! https://get.pimoroni.com/scrollphat

Answer 5 · 2016-04-04T11:22:46.000Z

@Gadgetoid very nice work there. Will the old command still function?

curl -sSL get.pimoroni.com/scrollphat | bash

Answer 6 · 2016-04-04T12:08:26.000Z

The old command will still function, but wont be bumped automagically to SSL. We'll leave it as-is and update the documentation to reflect the more secure method of distribution- pending a generally better solution sometime in the future.

Answer 7 · 2016-04-04T12:18:03.000Z

Great, thank you very much! I was not aware that curl automatically checks the certificate.

Answer 8 · 2016-04-19T22:30:27.000Z

This issue can be closed now, right? @BalzGuenat

Answer 9 · 2016-04-20T09:36:51.000Z

IMO yes. Maybe change it in the scripts as well? But at least aware users can now change it themselves.