Use installation instruction with rustup as recommended in forge and rustup by yerke · Pull Request #1823 · rust-lang/www.rust-lang.org (original) (raw)

rustup perspective: I don't think we have a principled stand here and would be willing to change if a reasoned analysis thought we get a better position vis-a-vis end user security by changing (and recognising that security is a socio-technical problem).

However at this point I think the flags do make sense because they help ensure that the user is getting the software we published (not rustup, the rustup installer script).

This is the origin of the command line in Rustup

Author: Sander Maijers <contact+github.com@sandermaijers.nl>
Date:   Sun Mar 17 12:45:43 2019 +0100

    Force highest TLS version supported
    
    The integrity and confidentiality of the installer script hinges currently on TLS. It is important to enforce the highest version of TLS in the instructions. Also, enforce the `https` scheme. Should redirects occur in the future, then each URL redirected to must be accessed using TLS 1.2 with HTTP, rather than allowing a plain HTTP link in the chain.

There are two MITM attacks possible on curlsh idioms: the first script download, and then the connections the installed script requests.

The warning you describe comes from the installer script detecting that it can't force validation of the downloaded rustup binary, which is pretty poor. We should perhaps make that a hard error at this time - 4 years later.

Removing the tls 1.2 forcing from the curlsh idiom means that misconfigurations could end up in an HTTP request in a redirect chain, which would permit trivial MITM malware injection.

I think we should probably look at updating to requiring TLS 1.3 at this point, but thats a different discussion.