Insecure downloads: cargo-leptos downloads binaries without checking their cryoptographic hashes

[yurivict]

For example this download.
src/ext/exe.rs also has a lot of other URLs that are used to download various binaries without checking cryptographic hashes.

An adversary can intercept internet connections and can substitute a binary with the malicious or compromised one.

Please note that almost all large corporations intercept https connections by forcing users to install their https certificates so that most users don't even know that they might be spied on. Some countries require everybody to install https certificates. Malicious actors might also run malicious WiFi access points and intercept https connections.

The situation when someone can be snooping on https connctions already takes place in a lot of situations.
This is why it's important to check cryptographic hashes.

[benwis]

I'd love to add cryptographic hash checking to this feature, time permitting. We do have the --no_downloads flag that installs cargo-leptos and doesn't do this. PRs are always welcome

[wischi-chr]

Please note that almost all large corporations intercept https connections by forcing users to install their https certificates so that most users don't even know that they might be spied on. Some countries require everybody to install https certificates. Malicious actors might also run malicious WiFi access points and intercept https connections.

The situation when someone can be snooping on https connctions already takes place in a lot of situations.
This is why it's important to check cryptographic hashes.

Adding this feature might bring some very small benefits but if hijacked https connections are your attack scenario, then all bets are off anyway. If someone has a root certificate installed on your machine, they could also intercept the "cargo install" requests and download and compile broken version that installs malware.

They can man-in-the-middle all your traffic and you could no longer trust anything that happens on that machine anyway. Any manual or automatic download that happens. Even the update mechanism of your OS would be completely vulnerable to that attack.
So I don't think that's a scenario one should care about on the application level, why would any attacker that has access to your HTTPS connections chose cargo-leptos when they could just intercept/manipulate the update mechanism of your operating system.

I know there are companies (and some anti-virus-software, etc.) that installs root certificates and intercept HTTPS traffic that way, but if you are on such a machine, you've already lost and all bets are off.

It's a bit like worrying on the application layer about untrusted hardware like hardware, keyloggers and backdoored network cards. Of course such attack vectors do exist but that's nothing you should worry about in typical applications, because there is nothing you could do about it.