Recommended installation method is vulnerable to man in the middle attack

[bddap]

see zellij-org/zellij-org.github.io#182

[sh1boot]

I was inspired to write up something about how curl isn't automatically safe.

It's too endemic to fix, but users can take a few steps to help protect themselves from accidentally pasting a bad command into their terminal.

[bddap]

It's cool that we can search github to find all those instances. I wonder how hard it would be to write a bot that submits prs fixing for those vulnerable parts.

[sh1boot]

That's just the results which don't specify any scheme. I tried to do a separate search for http:// and found another 5k results, but that's more noisy (many results might have good reasons for their choice).

I didn't search for wget, but I noticed wget uses HSTS by default so I guess that's a better starting point, and it'd only be worth searching with a filter to exclude preloaded sites.

I guess the thing to do, and I don't really know how, would be to filter out all the URLs and see how many of them do respond with the proper redirect and the same data on https. If they don't behave the same then the PR would just break stuff.

I think I would want to check in with GitHub staff before trying to create 16000 pull requests.