pond icon indicating copy to clipboard operation
pond copied to clipboard

Published 20 hours ago verified publisher icon agl

Don't ask people to copy-paste commands into terminal

Open caspear opened this issue 10 years ago • 2 comments

On https://pond.imperialviolet.org/ you ask people to copy-paste some shell commands directly into a terminal.

That is a terrible security practice, because of https://thejh.net/misc/website-terminal-copy-paste

Please change your wording to ask them to paste the commands elsewhere first, so that it doesn't look like you are trying to attack them.

caspear avatar Jun 01 '15 21:06 caspear

I feel this is already part of the threat model:

"The user obtains an authentic copy of Pond. The computer correctly executes the program and is not compromised by malware."

shawnl avatar Jun 04 '15 00:06 shawnl

I think I am being insufficiently clear.

The page explicitly instructs the end user to copy code from a web page and paste it directly into the terminal.

That is not a safe operation, because there is no WYSIWYG when copying from a web browser. Teaching people that it is an acceptable thing to do encourages development and persistence of harmful practices.

I made you a pull request that hopefully demonstrates what I am trying to say.

caspear avatar Jun 04 '15 21:06 caspear