The usage of HTTPS is not enforced here. As it is possible for the HTTP client to follow redirects, such redirects might lead to websites using HTTP.
As HTTP is a clear-text protocol, it is considered insecure. Due to its lack of encryption, attackers that are able to sniff traffic from the network can read, modify, or corrupt the transported content. Therefore, allowing redirects to HTTP can lead to several risks:
Even in isolated networks, such as segmented cloud or offline environments, it is important to ensure the usage of HTTPS. If not, then insider threats with access to these environments might still be able to monitor or tamper with communications.
There is a risk if you answered yes to the question.
--proto "=https". -L or
--location option. In this example, an install script is downloaded using curl and then executed.
Several options are set to ensure secure execution of the HTTP request using curl. However, as the option -L is set,
https://might-redirect.example.com/install.sh might redirect curl to a location that uses HTTP. If this is the case, an attacker can
change the install script that will be executed on the host system.
FROM ubuntu:22.04 # Sensitive RUN curl --tlsv1.2 -sSf -L https://might-redirect.example.com/install.sh | sh
By adding the option --proto "=https" to the HTTP request, curl will only execute requests made using HTTPS. If a redirect goes to an
insecure (HTTP) location, the request will not be executed. This ensures that no tampering can occur.
FROM ubuntu:22.04 RUN curl --proto "=https" --tlsv1.2 -sSf -L https://might-redirect.example.com/install.sh | sh
--proto <protocols>