Recommended installation method is vulnerable to man in the middle attack

On https://zellij.dev there is instructions to "Try Zellij Without Installing"

This is the script:

```bash
bash <(curl -L zellij.dev/launch)
```

curl uses `http` by default so the initial request will not be protected. Since the `-L` flag is provided, curl eventually follows the redirect to the `https` version.

Its pretty easy in certain situations to intercept the initial `http` request and provide a potentially malicious script.

Users should use `https` instead:

```bash
bash <(curl -L https://zellij.dev/launch)
```

When using `https`, the `-L` flag is no longer needed:

```bash
bash <(curl https://zellij.dev/launch)
```

This applies to the [bash](https://github.com/zellij-org/zellij-org.github.io/blob/4e86bd47d0481a188e7cd8e843f875f8b3cfaece/themes/hello-friend-ng/layouts/index.html#L30) and [fish](https://github.com/zellij-org/zellij-org.github.io/blob/4e86bd47d0481a188e7cd8e843f875f8b3cfaece/themes/hello-friend-ng/layouts/index.html#L35) instructions in this repo, as well as [the instructions in the main zellij repo](https://github.com/zellij-org/zellij/blob/5cb3fb4ad210e50e94f277e2ca8dd93492c4706e/README.md?plain=1#L52)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Recommended installation method is vulnerable to man in the middle attack #182

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Recommended installation method is vulnerable to man in the middle attack #182

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions