Not if you're a MITM attacker... CPAN (presumably) retrieves its source code eit... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		tokenizerrr on July 28, 2014 \| parent \| context \| favorite \| on: Mojolicious – Perl real-time web framework Not if you're a MITM attacker... CPAN (presumably) retrieves its source code either over HTTPS or validates what it downloads using signing keys like 'doesnt_know' referred to. These curl scripts do not, they just grab executable code using http, and then blindly execute it. If you were MITMing these people, you could easily adjust this code and pwn their machines. This isn't about CPAN/github getting compromised, this is about things being modified on the wire (which is a very real possibility when using insecured wifi, or less likely if for some reason the goverment wants you).

friedo on July 28, 2014 [–]

So then install it via CPAN, or via your OS package manager.

tokenizerrr on July 28, 2014 | [–]

Yes, I realize this is possible. The point is we shouldn't encourage other developers to use insecure methods when secure alternatives are easily available.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact