Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Download Script SSL #200

Open
croemmich opened this issue Aug 25, 2016 · 10 comments
Open

Download Script SSL #200

croemmich opened this issue Aug 25, 2016 · 10 comments
Labels
security

Comments

@croemmich
Copy link
Contributor

The download script listed in the docs (http://deis.io/deis-cli/install-v2.sh) is currently being served over a non-ssl connection allowing a MITM attack to replace the script and fetch a rogue client binary. That'd be all sorts of bad...
@bacongobbler
Copy link
Member

bacongobbler commented Aug 25, 2016
edited
Loading

The problem right now is that the install script is hosted by Github Pages, which does not support SSL. For the time being, the best way to prevent MITM attacks and to use SSL for installing the client is to either

  1. verify that the script downloaded with curl matches https://github.com/deis/deis.io/blob/gh-pages/deis-cli/install-v2.sh
  2. manually download the client via curl -o deis https://storage.googleapis.com/workflow-cli/v2.3.0/deis-v2.3.0-linux-amd64
  3. Use curl https://raw.githubusercontent.com/deis/deis.io/gh-pages/deis-cli/install-v2.sh | bash instead.

Hope this helps :)

@Joshua-Anderson
Copy link
Contributor

@slack Would it be possible to move this script to deis.com? I guess that would close source the script, but we could also move it to a subdomain like what we do for helm classic and get.helm.sh.

@croemmich
Copy link
Contributor Author

Could you move the source to the documentation repository? If I'm not mistaken, that gets built and hosted on deis.com which has ssl. The script doesn't really do that much and is only every referenced from the documentation.

@bacongobbler
Copy link
Member

bacongobbler commented Aug 25, 2016
edited
Loading

I think that'd be reasonable since deis.com is a private repo due to licensing issues with the blog posts. It would allow contributors to continue providing updates and enhancements to the script and we get it backed by SSL. Problem is that the URL would then be https://deis.com/docs/workflow/deis-cli/install-v2.sh which would be a little too long to type out. Optimally if it were hosted by deis.com it would be preferred to have it at something like https://deis.com/install-v2.sh

@croemmich
Copy link
Contributor Author

Personally, I'll probably always copy and paste it so length doesn't matter much to me. As far as your deis.com brand goes, https://deis.com/install-v2.sh would definitely be optimal.

@Joshua-Anderson Joshua-Anderson added this to the v2.6 milestone Sep 8, 2016
@bacongobbler
Copy link
Member

We're planning on a site-wide migration over to deis.com so this will eventually happen. The ticket for doing this is behind closed doors (so to speak) so there's no public announcement on when that'll happen, but there is a migration plan for deis.io content to move to deis.com.

This isn't something we can implement within this release though, so I'll remove the milestone. I'm also removing the priority as there is a workaround for users who are concerned about MITM attacks:

curl https://raw.githubusercontent.com/deis/deis.io/gh-pages/deis-cli/install-v2.sh | bash

@bacongobbler bacongobbler removed this from the v2.6 milestone Sep 19, 2016
@rvadim
Copy link

rvadim commented Dec 21, 2016
edited
Loading

Download of 2.3.0 works fine, but latest versions not actually works

$ curl -o deis https://storage.googleapis.com/workflow-cli/v2.9.1/deis-v2.9.1-linux-amd64
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   127  100   127    0     0    224      0 --:--:-- --:--:-- --:--:--   225
/ $ cat deis
<?xml version='1.0' encoding='UTF-8'?><Error><Code>NoSuchKey</Code><Message>The specified key does not exist.</Message></Error>/ #
/ $ curl https://storage.googleapis.com/workflow-cli/v2.9.1/deis-v2.9.1-linux-amd64
<?xml version='1.0' encoding='UTF-8'?><Error><Code>NoSuchKey</Code><Message>The specified key does not exist.</Message></Error>/ #
/ $
/ $ curl https://storage.googleapis.com/workflow-cli/v2.9.0/deis-v2.9.0-linux-amd64
<?xml version='1.0' encoding='UTF-8'?><Error><Code>NoSuchKey</Code><Message>The specified key does not exist.</Message></Error>/ #
/ $
/ $ curl https://storage.googleapis.com/workflow-cli/v2.8.0/deis-v2.8.0-linux-amd64
<?xml version='1.0' encoding='UTF-8'?><Error><Code>NoSuchKey</Code><Message>The specified key does not exist.</Message></Error>/ #

@mboersma
Copy link
Member

@rvadim that URL isn't correct, it should be in the "workflow-cli-release" directory. Try this one:

$ curl -o deis https://storage.googleapis.com/workflow-cli-release/v2.9.1/deis-v2.9.1-linux-amd64
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 9021k  100 9021k    0     0  14.1M      0 --:--:-- --:--:-- --:--:-- 14.1M

@rvadim
Copy link

rvadim commented Dec 22, 2016

@mboersma Thank you.

@Cryptophobia Cryptophobia mentioned this issue Mar 21, 2018
Closed
@Cryptophobia
Copy link

This issue was moved to teamhephy/workflow-cli#22

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@mboersma @croemmich @bacongobbler @Joshua-Anderson @rvadim @Cryptophobia