Rustup: http://www.rustup.rs/ should 301 redirect to https://www.rustup.rs/ with the HSTS header.

Created on 29 Mar 2016 · 9Comments · Source: rust-lang/rustup

I must have set up the redirect incorrectly because it's not doing it.

Source

brson

👍1

All 9 comments

Aside from the redirect, https://rustup.rs/ does not seem to serve a Strict-Transport-Security header.

It looks like there's an S3 limitation there: https://serverfault.com/q/820939/44697.

sourcefrog on 2 Oct 2017

❤1

curl https://sh.rustup.rs -sSf | sh

The entry point of the Rust Programming Language is under control of the Serbian National Register of Internet Domain Names (.rs).
rustup.rs does not support authenticated DNS responses (DNSSEC).
The footgun of not being HSTS preloaded is still present.
https://www.hardenize.com/report/rustup.rs/1558088762#www_hsts
https://hstspreload.org/?domain=rustup.rs
Is rustup.sh owned by the Rust project? I make this mistake too often! :-/

Darkspirit on 17 May 2019

It looks like there's an S3 limitation there: https://serverfault.com/q/820939/44697.

We have infra in place to fix this, I'll set it up in the coming days.

The entry point of the Rust Programming Language is under control of the Serbian National Register of Internet Domain Names (.rs).

Not something we can fix unfortunately :(

rustup.rs does not support authenticated DNS responses (DNSSEC).

As far as I can see the .rs TLD doesn't support DNSSEC at all.

The footgun of not being HSTS preloaded is still present.

Does curl actually check the preload list? Doesn't seem so after a quick search. Anyway my comment on the other issue still applies here.

Is rustup.sh owned by the Rust project? I make this mistake too often! :-/

Nope, it's not in any of the domain registrars used by the infra team.

pietroalbini on 18 May 2019

Is rustup.sh owned by the Rust project? I make this mistake too often! :-/

@nrc Do you know who owns rustup.rs? @brson ?

kinnison on 18 May 2019

@kinnison rustup.rs is in an account controlled by the infra team.

pietroalbini on 18 May 2019

@pietroalbini oops, I'm good at misreading things :D thanks.

kinnison on 19 May 2019

HSTS is now enabled on rustup.rs!

pietroalbini on 9 Sep 2019

❤1

Please reopen. HSTS is not enabled for first-time visitors:
https://hstspreload.org/?domain=rustup.rs

Darkspirit on 9 Sep 2019

@Darkspirit opened a new issue to track that: https://github.com/rust-lang/rustup.rs/issues/1987

pietroalbini on 9 Sep 2019

❤1

Was this page helpful?

0 / 5 - 0 ratings

Related issues

Homebrew conflicts with rustup (detect and warn about it?)

kornelski · 3Comments

Targeting x86_64-apple-darwin on Linux yields linking errors

netgusto · 4Comments

`rustup override` handles symlinks to directories poorly

daboross · 4Comments

Unable to use rust behind enterprise firewall

ghost · 3Comments

--no-prompt option to rustup-init fails

jimmycuadra · 4Comments