jm + curl   7

Mozilla Employee Denied Entry to the United States
Ugh. every non-USian tech worker's nightmare. curl developer Daniel Stenberg:
“I can’t think of a single valid reason why they would deny me travel, so what concerns me is that somehow someone did and then I’m worried that I’ll get trouble fixing that issue,” Stenberg said. “I’m a little worried since border crossings are fairly serious matters and getting trouble to visit the US in the future would be a serious blowback for me, both personally with friends and relatives there, and professionally with conferences and events there.”
curl  travel  mozilla  esta  us-politics  usa  immigration  flying 
11 weeks ago by jm
Detecting the use of "curl | bash" server side
tl;dr:
The better solution is never to pipe untrusted data streams into bash. If you still want to run untrusted bash scripts a better approach is to pipe the contents of URL into a file, review the contents on disk and only then execute it.
bash  security  shell  unix  curl  tcp  buffers 
april 2016 by jm
s3.amazonaws.com "certificate verification failed" errors due to crappy Verisign certs and overzealous curl policies
Seth Vargo is correct. Its not the bit length of the key which is at issue, its the signature algorithm. The entire keychain for the s3.awsamazon.com key is signed with SHA1withRSA:

https://www.ssllabs.com/ssltest/analyze.html?d=s3.amazonaws.com&s=54.231.244.0&hideResults=on

At issue is that the root verisign key has been marked as weak because of SHA1 and taken out of the curl bundle which is widely popular, and this issue will continue to cause more and more issues going forwards as that bundle makes it way into shipping o/s distributions and aws certification verification breaks.


'This is still happening and curl is now failing on my machine causing all sorts of fun issues (including breaking CocoaPods that are using S3 for storage).' -- @jmhodges

This may be a contributory factor to the issue @nelson saw: https://nelsonslog.wordpress.com/2015/04/28/cyberduck-is-responsible-for-my-bad-ssl-certificate/

Curl's ca-certs bundle is also used by Node: https://github.com/joyent/node/issues/8894 and doubtless many other apps and packages.

Here's a mailing list thread discussing the issue: http://curl.haxx.se/mail/archive-2014-10/0066.html -- looks like the curl team aren't too bothered about it.
curl  s3  amazon  aws  ssl  tls  certs  sha1  rsa  key-length  security  cacerts 
april 2015 by jm
curl | sh
'People telling people to execute arbitrary code over the network. Run code from our servers as root. But HTTPS, so it’s no biggie.'

YES.
humor  sysadmin  ops  security  curl  bash  npm  rvm  chef 
november 2014 by jm
Axel
A nice curl/wget replacement which supports multi-TCP-connection downloads of HTTP/FTP resources. packaged for most Linux variants and OSX via brew
axel  curl  wget  via:johnke  downloading  tcp  http  ftp  ubuntu  debian  unix  linux 
september 2014 by jm
SuperTweet.Net
free Twitter proxy for access to the Twitter API without requiring OAuth, perfect for stupid read-only stuff like my filter-tweets script (via Padraig)
via:pixelbeat  api  oauth  proxy  twitter  web  http  curl  supertweet  from delicious
september 2010 by jm

Copy this bookmark:



description:


tags: