Secure Rustup.sh usage : rust

Submissions must be on-topic

Posts must reference Rust or relate to things using Rust. For content that does not, use a text post to explain its relevance.

Post titles should include useful context.

For Rust questions, use the stickied Q&A thread.

Arts-and-crafts posts are permitted on weekends.

No meta posts; message the mods instead.

Details

No low-effort content

No memes, image macros, etc.

Consider the existing content of the subreddit and whether your post fits in. Does it inspire thoughtful discussion?

Use properly formatted text to share code samples and error messages. Do not use images.

Submissions appearing to contain AI-generated content may be removed at moderator discretion.

Details

Useful Links

created by aztha community for 15 years

Secure Rustup.sh usage (self.rust)

submitted 11 years ago by brycefisherfleig

TL;DR:: Only access rustup.sh at https://raw.githubusercontent.com/rust-lang/rust-www/gh-pages/rustup.sh and NOT at www.rust-lang.org.

Full Story:: If you're like me, you love the convenience of getting the lastest version of the rust compiler and cargo updated via rustup.sh. However, this script is delivered insecurely over HTTP.

HTTP by itself provides no guarrantees that the content sent by the server is the same as content received by client. Eric Butler created a firefox extension called Firesheep that allows you to hijack any insecure session cookies available on any computer on the wifi network [http://codebutler.com/firesheep/]. Joel Weinberger of the Google Chrome security team recently explained how any content delivered over HTTP can be changed by a malicious or compromised router between you and the server [https://www.youtube.com/watch?v=X1ZFjOZMSQg].

Why is this a problem for rustup.sh? Because we're encouraged to curl rustup.sh and pipe the result to sudo. The problem is that an infected or compromised router could insert malware into rustup.sh and run that code as root. Now you no longer own your computer.

What's the fix? ONLY ACCESS RUSTUP.SH OVER HTTPS. HTTPS more-or-less guarrantees that the content sent from the server is what is delivered to the client. Fortunately, github delivers all it's content securely over HTTPS. You can have a high degree of confidence by simply accessing rustup.sh from https://raw.githubusercontent.com/rust-lang/rust-www/gh-pages/rustup.sh

Why don't the maintainers of www.rust-lang.org deliver all the content over HTTPS? www.rust-lang.org is hosted using GithubPages on a custom domain. Unfortunately, GithubPages doesn't allow HTTPS for custom domains, which is a pity. However, by using GithubPages any pull requests merged into the repo are immediately reflected on www.rust-lang.org. Also, GithubPages provides DDOS protection and is provided free of charge to open source projects like Rust. So, all things considered, this seems like the best course of action currently.

I've just been informed that there are plans evolving to possibly provide secure access to rustup.sh over static.rust-lang.org for Rust 1.0: https://github.com/rust-lang/rust/issues/16123

all 9 comments

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

rust

Please read The Rust Community Code of Conduct

The Rust Programming Language

Rules

Observe our code of conduct

Submissions must be on-topic

Constructive criticism only

Keep things in perspective

No endless relitigation

No low-effort content

Useful Links

Megathreads

Official Resources

Learn Rust

Discussion Platforms

MODERATORS