This looks to be a very specific tool to check URLs on the command line. Terminal emulators don't care about that. Even shells running in those terminal emulators don't care about those specifics because why would they. One could easily want to do something with a funny url like that that doesn't involve content fetching etc.
If you can disable Unicode in your terminal emulator, then it will be. (Unfortunately, that won't help if you want Unicode in your terminal emulator, though.)
As a child in the 1980s we'd go for long walks in the woods. One time a friend brought a pair of 30 inch bolt cutters with him, you know, as a personality extension. And of course, there was some dubious reason to use them, and he was a hero for being over-provisioned.
A solution like this is those bolt cutters - I can admire it, but the odds I'm out on a walk with it, is very, very low.
Now if you work in a bolt factory, sure, this can run on every laptop, every user account, every environment.
But I'd hope my edge firewalls are L7 scanning for cyrillic 'i' in my domains cause otherwise I'm just gonna connect and get myself hacked.
Also there's always the risk that the bolt cutter has a defect (perhaps deliberately introduced at some point when it was manufactured) which will cause you more damage than the thing you're trying to prevent by carrying it.
I'm personally a bit wary of introducing a relatively obscure security tool into my setup, to protect against a rare possible attack. The chance that I'll get caught copy-pasting a compromised URL into my terminal is fairly small, and there's also a small chance I'll compromise my system either now or at some later point via a supply chain attack if I use the tool. Which chance is bigger?
Are you really inspecting every app you install, including all its dependencies, and the dependencies of those dependencies, to a level of detail sufficient to identify sophisticated and obfuscated backdoors?
In the real world, nobody does this. Instead, you make a conscious choice to trust the apps that you install. Every decision of whether to install an app is a tradeoff between (a) the risk that that trust is misplaced, and (b) the benefits of the app.
The word tirith means guard (or watch) in Sindarin, one of Tolkien's languages from Lord of the Rings. See also Minas Tirith! I really enjoy this utility's name.
How on Earth did something like this become the norm?
I don't work with software like most here, but just opening the Cargo.lock file sets off an alarm in my brain.
After seeing how much stuff was pulled when I once installed a couple programs with cargo, I added it to the "don't touch a project if it's made with this language" pile, alongside NIM and Python (though Python I can't quite avoid).
I use non-Unicode terminal mode (I might prefer to use a terminal emulator that does not support Unicode but you can add fonts for arbitrary character sets (of your choice, so that none are forced) instead) and program the browser to always display URLs as ASCII. So, when I copy the text to the terminal, I get "#" in place of the Cyrillic alphabets.
I think making IDN work the way it does was a mistake. I thought of making IDN with a character set specific for that use (I did think about how it would work) instead of using Unicode or any other existing character sets (none of them are suitable, as far as I am concerned; however, this new IDN character set would potentially be suitable for some other uses such as perhaps package names). Using one character set for everything is not very good, and Unicode is especially bad for this. (Although in my opinion, TRON code is generally better than Unicode, neither TRON code nor Unicode is the one to use for this)
However, there are other problems with paste in the terminal window, but bracketed paste mode can mitigate some of these problems in some cases, it is not entirely helpful.
They do provide installation commands for every platform that aren't vulnerable to homograph attacks due to GitHub not allowing Unicode characters in user/repo names :)
If you download and run an MSI, or deb,(which probably requests root, and runs arbitrary scripts you can't easily examine) then you're not paying attention and nothing matters
A simpler solution: examine the URL displayed in the browser window before copying terminal commands from the page. E.g. "starts with github.com" -> "trusted GitHub UI indicates the repo is the official one for this project" -> "URL points to the official project README" -> "terminal commands are most likely not malicious, and if they are, there's a bigger problem here".
Of course, more secure installation methods should be preferred, but those are not always available. I am simply comparing the provided solution to homograph attacks with another solution to the same problem.
The whole point is that someone could put a Cyrillic "i" in "github" and your eyes can't tell the difference. The actual GitHub link might be real and valid and you checked; you might still hit "g[cyrillic i]thub.com" and not the real GitHub.
26 comments
[ 3.1 ms ] story [ 72.6 ms ] threadThis is not and has never been safe.
As a child in the 1980s we'd go for long walks in the woods. One time a friend brought a pair of 30 inch bolt cutters with him, you know, as a personality extension. And of course, there was some dubious reason to use them, and he was a hero for being over-provisioned.
A solution like this is those bolt cutters - I can admire it, but the odds I'm out on a walk with it, is very, very low.
Now if you work in a bolt factory, sure, this can run on every laptop, every user account, every environment.
But I'd hope my edge firewalls are L7 scanning for cyrillic 'i' in my domains cause otherwise I'm just gonna connect and get myself hacked.
I'm personally a bit wary of introducing a relatively obscure security tool into my setup, to protect against a rare possible attack. The chance that I'll get caught copy-pasting a compromised URL into my terminal is fairly small, and there's also a small chance I'll compromise my system either now or at some later point via a supply chain attack if I use the tool. Which chance is bigger?
This is, for me, a "set and forget" kind of tool -- why would i need to update a script?
In the real world, nobody does this. Instead, you make a conscious choice to trust the apps that you install. Every decision of whether to install an app is a tradeoff between (a) the risk that that trust is misplaced, and (b) the benefits of the app.
Then again, I don't blindly pipe directly from the network into the shell either.
After seeing how much stuff was pulled when I once installed a couple programs with cargo, I added it to the "don't touch a project if it's made with this language" pile, alongside NIM and Python (though Python I can't quite avoid).
I think making IDN work the way it does was a mistake. I thought of making IDN with a character set specific for that use (I did think about how it would work) instead of using Unicode or any other existing character sets (none of them are suitable, as far as I am concerned; however, this new IDN character set would potentially be suitable for some other uses such as perhaps package names). Using one character set for everything is not very good, and Unicode is especially bad for this. (Although in my opinion, TRON code is generally better than Unicode, neither TRON code nor Unicode is the one to use for this)
However, there are other problems with paste in the terminal window, but bracketed paste mode can mitigate some of these problems in some cases, it is not entirely helpful.
a pre exec handler for your shell gives somebody a lot of power. if this gets sufficiently popular, pwning this brew package can get one faar...
Brew is installed by copying a command line-
https://brew.sh
I mean, I guess you could retype it, but there is no intention for anyone to do that.
Of course, more secure installation methods should be preferred, but those are not always available. I am simply comparing the provided solution to homograph attacks with another solution to the same problem.