Force highest TLS version supported #1716
Conversation
|
Hi @sanmai-NL, Thank you for your contribution to Rustup. Would it also make sense to adjust |
|
Yes, and https://www.rust-lang.org/learn/get-started as well. As for backward compatibility of a similar change to |
|
If you can verify that the cURL version in RHEL 7 and later distros is suitable then please update your patch to cover rustup-init.sh and we'll probably merge it. You'll need a separate issue opening on the website repo for that bit though. |
The integrity and confidentiality of the installer script hinges currently on TLS. It is important to enforce the highest version of TLS in the instructions. Also, enforce the `https` scheme. Should redirects occur in the future, then each URL redirected to must be accessed using TLS 1.2 with HTTP, rather than allowing a plain HTTP link in the chain.
|
@kinnison: Done. Also added similar options to the |
|
|
|
As for cURL, |
|
We try to maintain an older CI baseline because it increases our reachability wrt. distributions - glibc versions are a pain. |
|
@kinnison: alright, but this is ready for merging no? |
|
@kinnison: ping. |
|
@sanmai-NL Our working group meeting is tonight, I planned to check there before hitting merge. |
|
@kinnison I've just noticed that command may not work on zsh. You have to type: curl --proto \=https --tlsv1.2 -sSf https://sh.rustup.rsor curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rsinstead. |
|
Hmm, I wonder why I didn't spot that.. rummages Looks like I have |
| @@ -36,7 +36,7 @@ | |||
| then follow the onscreen instructions. | |||
| </p> | |||
| <p>If you're a Windows Subsystem for Linux user run the following in your terminal, then follow the onscreen instructions to install Rust.</p> | |||
| <pre>curl https://sh.rustup.rs -sSf | sh</pre> | |||
| <pre>curl --proto =https --tlsv1.2 -sSf https://sh.rustup.rs | sh</pre> | |||
There was a problem hiding this comment.
Could this be left as it was? This is just intended to be a quick one-liner copy/paste snippet and expanding with so many options can be pretty intimidating as a copy/paste snippet. Does this really add enough benefit relative to what it's displaying on the site?
There was a problem hiding this comment.
You are expressing certain feelings towards this without backing them up with a UX study. I am sad you prioritize the length of an already technical one-liner over the clear and specified security improvement. I think it is instead a good signal that in the Rust ecosystem, security is taken seriously.
There was a problem hiding this comment.
Certainly the display isn't as good as it used to be. We could use web techniques to hide the extra arguments from the display but include them in the copy/paste, and provide a copy-command-to-clipboard button which puts it all there, for ease of use?
There was a problem hiding this comment.
Currently the box requires scrolling, and people are more likely to fail to copy the whole command than not. While I personally dislike the narrow styling, I understand why it's there so would prefer to maintain it over trying to do better myself. If someone else could make it work somehow then that'd be good too.
Forces use of https and TLS1.2 to avoid shifty business. See rust-lang/rustup#1716 for details.
The integrity and confidentiality of the installer script currently hinges on TLS. It is important to enforce the highest version of TLS in the instructions. Also, enforce the
httpsscheme. Should redirects occur in the future, then each URL redirected to must be accessed using TLS 1.2 with HTTP, rather than allowing a plain HTTP link in the chain.