search

devonfw / devonfw.github.io

devonfw official website
https://www.devonfw.com/
4 stars 36 forks source link

Don't recommend users to execute script code from cryptic domains #119

Open markusschuh opened 4 years ago

markusschuh commented 4 years ago

As a security experts, who tries to think as an attacker, I wonder, if an instruction as

wget -c https://bit.ly/2BCkFa9 -O - | tar -xz && bash setup

couldn't be misused within some social engineering attack. What if the attacker sets up another bitly link, that downloads something else and closely mimics the devonfw-ide download? This alone won't allow the attacker to make the victim enter the wrong bitly URL - but I could imagine some social engineering techniques to make it more likely to happen. Could you see any difference, if you'd get the instruction to run the setup via another bit.ly link? No - but the result of this command could be drastically different.

wget -c https://bit.ly/xy2BCkFa9 -O - | tar -xz && bash setup

Small risk - sure. But at the same time there is also a very short win in using this URL shortener here. At least not, as long the command is just clicked - or transferred via copy & paste to a CLI prompt.

Why not try to introduce another short URL here, that is more visible tight to devonfw? What about:

https://devonfw.com/getide

The devonfw.com domain is redirected to Github pages. At the time being, I don't see, that Github pages would have some option to allow a 302 redirect. Only meta-refresh redirects to offer some redirection there. But this is only consumed by browsers - not by curl or wget. So you probably won't be able to provide this URL als devonfw-ide download URL.

May be there is a chance to introduce another entry into the devonfw.com domain: Some domain hosters offer 301/302 redirect services which allows to set the "Location" URL. Another entry like the following would then result into the wanted download URL:

https://getide.devonfw,com

Sure - this is only a small step forward to secure the download, since there are so many 3rd party providers involved in the overall setup. Nevertheless an attack on getting control over devonfw.com domain management is harder, that to setup an own - completely independent - bit,ly account and provide an alternative - but evil - bit.ly link.

SchettlerKoehler commented 3 years ago

The short link was removed. Still, there is no alternative but to use the long link because of the limitations of the devonfw.com webserver