npm is the defacto package manager for the node.js javascript network programming environment thingee.

The folks who make npm have taken a security leap:

npm no longer supports its self-signed certificates

Ah, they build the bastions of light and goodness, protecting us from the sins of the masses by standing tall.

So… how do you install npm, anyway? Ah, yes, you look it up on their site... let’s see… why, it’s as simple as executing raw shell commands from a host, what could go wrong with that?

But let’s test it out, it’s simply (they thoughtfully tell you to put the -L option, which tells curl to go wherever they decide to redirect you in the webs):

$ curl -L https://npmjs.org/install.sh | sh
$

Nothing happened? Ah, they tell you to use a stupid shell so they fail silently; try again with something with a brain, bash this time.

curl -L https://npmjs.org/install.sh | bash
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 6711 100 6711 0 0 17161 0 --:--:-- --:--:-- --:--:-- 17161
tar=/bin/tar
version:
tar (GNU tar) 1.20
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by John Gilmore and Jay Fenlason.
install npm@latest
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). The default
bundle is named curl-ca-bundle.crt; you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
<strong>curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:</strong>
<strong> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed</strong>
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). The default
bundle is named curl-ca-bundle.crt; you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
<strong>If you'd like to turn off curl's verification of the certificate, use</strong>
<strong> the -k (or --insecure) option.</strong>
Failed to get tarball url for npm/latest
silent /etc/d3ck/tmptmp 1078 > curl -L https://npmjs.org/install.sh | sh
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 6711 100 6711 0 0 18132 0 --:--:-- --:--:-- --:--:-- 18132

Yes, the same thing you always see… a crypto error, because they don’t use a valid certificate, and I don’t think they ever have. But hell, obviously these security minded folks want you to simply follow the 301s, wherever they go, execute arbitrary code from psuedo random sites stop asking pesky questions.

Fortunately you can tell curl to ignore the certificate with the –insecure option (obviously the curl people are exaggerating naming it that!) and run it again:

$ curl -k -L https://npmjs.org/install.sh | bash
[errors much like above]

Well shoot. It looks like they run curl inside the script that runs curl that follows their redirects to sites with broken certificates. You folks just fill me with confidence – well, confidence that you don’t know your head from a hole in the ground WRT security.

I suppose it’s better than node.js was a year or two ago, when their official advice was to:

curl -Ls goo.gl/JD2SR | bash

What does that do? Well, they even removed the pretense – this isn’t even a secure site, it’s using an obfuscater, and they tells curl to ignore any pesky errors or warnings.

Following that single line above with strace revealed 1.6GB of data being tossed around, 16 hosts being involved, and who knows (I lost the output, sorry, lol) how many hundreds of programs, files, and other things were involved.

And these are the people trying to tell me how to use certificates? They may be gods and networking, but they blow chunks with security. GTFO my lawn, whippersnappers, and stop chasing dreams you read in CSO magazine or wherever else you get your crappy security 411. And stop trying to demonize self-signed certs, which I guarantee you are far more numerous and far more useful that crap they try to sell you at Verisign et al*.

God, certificates suck.

Thanks to the activity village folks. This is worth more than most crypto certs out there, surely

* In this case nothing against Verisign, it’s just the entire rotten group of certificate authorities out there.

Sorry, the comment form is closed at this time.

   
© 2012 trouble Suffusion theme by Sayontan Sinha