-
Notifications
You must be signed in to change notification settings - Fork 884
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dropped unnecessary curl option #2204
Conversation
The curl proto option is not necessary (since target URL is https), hence it should be dropped.
the |
What kind of HTTPS->HTTP downgrade attacks are you afraid of? Also, that Moreover, if your threat model requires a very high degree of security, I think you should consider many other issues first (e.g.: neither rustup.rs nor rust-lang.org seem to be included in HSTS preload lists, they also don't support TLS 1.3). |
In this instance I'm more interested in belt and braces. The particular combination of arguments was recommended to us as part of #1716 and I'm reluctant to remove arguments without the author of that change (@sanmai-NL) confirming how you believe cURL works wrt. redirects. |
Ok, I understand your point. |
@marcobellaccini: why should we remove security measures when other security measures haven't been implemented yet? Do you have a risk assessment that supports your idea such an attack is highly unlikely? Please help by implementing the missing security measures. |
I have made my comments. |
I also don't have administrative access for rustup. You may raise the concerns though. TLS 1.3 is limited by Amazon I'm afraid. |
The curl proto option is not necessary (since target URL is https), hence it should be dropped.