tasiaiso/tasiaiso.vulpecula.zone
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

a

Browse source
This commit is contained in:
Tasia Iso 2024-05-08 17:12:33 +02:00
parent e3f574cf5a
commit bc06eb26c5
Signed by: tasiaiso
SSH key fingerprint: SHA256:KiRjUay5C9i6objsEOIycygBHn54pDBB3Lj7fyJ0Elw
5 changed files with 34 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

37
docs/drafts/.curlpipebash.md
View file

@ -1,5 +1,7 @@
# DRAFT: curl | bash # DRAFT: curl | bash
2024-05-08
In April of 2024 I wrote a post on Fediverse explaining that using `curl | bash` was not a security risk. A bit later, I debated on the same subject on a Matrix channel. The other parties involved caused me to do some further research on the subject and led me to review my opinion. As one could imagine, it turns out that the answer actually is, "it depends". In April of 2024 I wrote a post on Fediverse explaining that using `curl | bash` was not a security risk. A bit later, I debated on the same subject on a Matrix channel. The other parties involved caused me to do some further research on the subject and led me to review my opinion. As one could imagine, it turns out that the answer actually is, "it depends".
I based my original argument on the fact that you ultimately have to trust the person that provides you the code, which is true, but *incomplete*. I based my original argument on the fact that you ultimately have to trust the person that provides you the code, which is true, but *incomplete*.
@ -52,15 +54,16 @@ This script installs the Determinate Nix installer, a Nix-based package manager.
- `https://install.determinate.systems/nix`: The URL that points to an installation script; - `https://install.determinate.systems/nix`: The URL that points to an installation script;
- `|`: If `curl` gets the script successfully, pass it on to the next command; - `|`: If `curl` gets the script successfully, pass it on to the next command;
- `sh`: Execute whatever `curl` gets from the server - `sh`: Execute whatever `curl` gets from the server
- `-s`: - `-s`:
- `-- install`: - `-- install`:
- ``: - ``:
We can see that the script explicitly requires `curl` to use a secure connection. At first glance, this seeems like a secure way to run the installer. However, if the server is compromised in some way, we could be downloading malware instead. We can see that the script explicitly requires `curl` to use a secure connection. At first glance, this seeems like a secure way to run the installer. However, if the server is compromised in some way, we could be downloading malware instead.
We can mitigate this risk by using a method used by most package managers, which is using 2 different servers with different functions: one that hosts the artifact's cryptographic hash or signature (here called *signing autohrity*), and another one that serves the artifact directly to us (here called *artifact provider*). This way, if either server is compromised, the software that's served to the client will not be verified and therefore not run. We can mitigate this risk by using a method used by most package managers, which is using 2 different servers with different functions: one that hosts the artifact's cryptographic hash or signature (here called *signing autohrity*), and another one that serves the artifact directly to us (here called *artifact provider*). This way, if either server is compromised, the software that's served to the client will not be verified and therefore not run.
We can reduce the risk of getting both machines compromised at once by: We can reduce the risk of getting both machines compromised at once by:
- Having them be controlled by 2 different entities (companies and/or persons); - Having them be controlled by 2 different entities (companies and/or persons);
- Having them be managed by 2 different systems administrators; - Having them be managed by 2 different systems administrators;
- Using different data centers, network routes, domains and SSL certificates; - Using different data centers, network routes, domains and SSL certificates;
@ -89,25 +92,27 @@ There's still other parameters that I won't bother bringing into the picture rig
An example infrastructure would look like this: An example infrastructure would look like this:
- Signing authority - Signing authority
- Managed by John Doe
- Hosted in DigitalOcean (Germany or Switzerland) - Managed by John Doe
- NixOS - Hosted in DigitalOcean (Germany or Switzerland)
- HTTP server: Nginx - NixOS
- Domain: `determinate.systems` - HTTP server: Nginx
- Domain: `determinate.systems`
- Artifact provider - Artifact provider
- Managed by Jane Poe - Managed by Jane Poe
- Hosted by a worldwide CDN (Hetzner) - Hosted by a worldwide CDN (Hetzner)
- RHEL - RHEL
- HTTP server: Apache - HTTP server: Apache
- Domain: `install-determinate.systems` or `install.determinate.systems` - Domain: `install-determinate.systems` or `install.determinate.systems`
*This is not an endorsement for RHEL, Hetzner, Apache Web Server or even Determinate Systems; as of writing this, I've never tried them. I do very much endorse the use of NixOS however.* *This is not an endorsement for RHEL, Hetzner, Apache Web Server or even Determinate Systems; as of writing this, I've never tried them. I do very much endorse the use of NixOS however.*
Now, compromising this part of the supply chain has become extremely hard. The attacker will either: Now, compromising this part of the supply chain has become extremely hard. The attacker will either:
- Need technical competency (TODO) in NixOS, RHEL, Nginx and Apache, as well as compromising an entire CDN (TODO); - Need technical competency (TODO) in NixOS, RHEL, Nginx and Apache, as well as compromising an entire CDN (TODO);
- Compromise both of the sysadmin's machines through social engineering; - Compromise both of the sysadmin's machines through social engineering;
... ...
- Use several of the methods listed above. - Use several of the methods listed above.
Now, it would be a lot more feasible to attack another part of the supply chain, which is a subject for another article. Now, it would be a lot more feasible to attack another part of the supply chain, which is a subject for another article.
@ -124,8 +129,4 @@ Making a shell script that leverages this infrastructure isn't actually hard at
### Method 1: Hash ### Method 1: Hash
### Method 2: PGP signature ### Method 2: PGP signature

5
docs/drafts/.noscript.md Normal file
View file

@ -0,0 +1,5 @@
# Disabling JavaScirpt
2024-05-08
A bit ago I found this article where a person didsabled JavaScript on their browser by default

2
docs/drafts/.tulpamancy.md
View file

@ -1,5 +1,7 @@
# Tulpamancy # Tulpamancy
2024-05-08
Disclaimer: as of sriting this I do not have Disclaimer: as of sriting this I do not have
A month ago I discovered tulpamancy. A month ago I discovered tulpamancy.

BIN
theme/images/badges/firefoxnow.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 2.3 KiB

12
theme/main.html
View file

@ -81,10 +81,14 @@
><img src="images/badges/nixos.png" alt="nixos badge" ><img src="images/badges/nixos.png" alt="nixos badge"
/></a> /></a>
<a href="images/badges/credits.txt">(credits)</a>
<hr> <hr />
This is a <a href="https://https://motherfuckingwebsite.com">motherfucking website</a>. This is a
<br> <a href="https://https://motherfuckingwebsite.com">motherfucking website</a
Built by <a href="https://www.mkdocs.org">mkdocs</a> and served by <a href="https://tilde.club">tilde.club</a>. >.
<br />
Built by <a href="https://www.mkdocs.org">mkdocs</a> and served by
<a href="https://tilde.club">tilde.club</a>.
</body> </body>
</html> </html>