Follow

If you think the security of static websites doesn't matter, *imagine* if someone maliciously altered the "copy and paste" instructions for Let's Encrypt. Would you detect the change? (Image below is faked, but you get the point. I'm just using Let's Encrypt as a common example)

@Wolf480pl A made-up malicious tool that when run does something bad on your server.

@climagic @Wolf480pl Whew, a malicious tool making it into a package repository? Not impossible, but not that likely...

If I may suggest, perhaps something nc, where the user is then directed to add the command

nc -nvlp 5555 -e /bin/bash

in place of sslytherinm. If they don't have the firewall setup, then copypasting the command would create a shell bound to port 5555...

@clarjon1 @climagic
IMO a curl | bash would be even more likely to succeed.

@climagic On that topic I highly recommend Troy Hunt's article + video:

troyhunt.com/heres-why-your-st

It really showcasts why you want HTTPS for your static websites.

(Of course there is more to security than HTTPS, but it's the most basic element for every website.)

@climagic

Some of our readers asked us what is wrong with our code snippets. They simply copied and pasted them, including some generic and clearly-marked placeholders.

So it is not that unlikely that some people blindly install or configure software on their servers.

@infosechandbook @climagic on our wiki at work we tend to prefix shell snippets with # to help protect against this.

Unfortunately stackoverflow style copy/paste without engaging the 🧠 is super common!

@infosechandbook @climagic I don't know your specific case, but it might help to explain just a bit what the code snippet does. More often than I wished I find myself executing one-liners where I don't know *precisely* what they do simply because it's the only solution I found on the Internet... (And I do have a tech background.)

Also, I would find it more helpful sometimes if less clever solutions would be offered (with less piping and temp files - more than one line is okay for me!)

Sign in to participate in the conversation
Mastodon

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!