From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 128360 invoked by alias); 12 Mar 2019 00:20:08 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 128352 invoked by uid 89); 12 Mar 2019 00:20:07 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-0.7 required=5.0 tests=BAYES_00,FREEMAIL_FROM,KAM_THEBAT,RCVD_IN_DNSWL_LOW autolearn=no version=3.3.1 spammy=occasion, unlimited, HX-Languages-Length:1867, reassure X-HELO: forward102j.mail.yandex.net Received: from forward102j.mail.yandex.net (HELO forward102j.mail.yandex.net) (5.45.198.243) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Tue, 12 Mar 2019 00:20:05 +0000 Received: from mxback9j.mail.yandex.net (mxback9j.mail.yandex.net [IPv6:2a02:6b8:0:1619::112]) by forward102j.mail.yandex.net (Yandex) with ESMTP id 1A396F2070E; Tue, 12 Mar 2019 03:20:02 +0300 (MSK) Received: from smtp1j.mail.yandex.net (smtp1j.mail.yandex.net [2a02:6b8:0:801::ab]) by mxback9j.mail.yandex.net (nwsmtp/Yandex) with ESMTP id yXWX9ONaUp-K2Yq8pYv; Tue, 12 Mar 2019 03:20:02 +0300 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1552350002; bh=EVbx+KTHxjWPfVdqs5f95vrsbMQp7rolBDFlY2Aj6hk=; h=In-Reply-To:Subject:To:Reply-To:From:Message-ID:References:Date; b=eQ7oS59n5WQNTcDBkOPu9Xne2A6gsbnYuLDGsM3IRGtEEfw+6fvB+6DO2wU+RljPi Uf+YFfb5GQ/J+cz3eGQ4RDaQklqN8aie+0342mlBZfSFh+rpMuolVPR5SUBZ29XbHw 1UMnKY53LmWdyknWPzSLeQWMOQ9FICH4BIBucrH0= Authentication-Results: mxback9j.mail.yandex.net; dkim=pass header.i=@yandex.ru Received: by smtp1j.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id 7FpNdfx7sV-K1eeTucl; Tue, 12 Mar 2019 03:20:01 +0300 (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (Client certificate not present) Received: from [192.168.1.10] (HELO daemon2.darkdragon.lan) by daemon2 (Office Mail Server 0.8.12 build 08053101) with SMTP; Tue, 12 Mar 2019 00:16:19 -0000 Date: Tue, 12 Mar 2019 00:20:00 -0000 From: Andrey Repin Reply-To: cygwin@cygwin.com Message-ID: <1406950005.20190312031618@yandex.ru> To: Archie Cobbs , cygwin@cygwin.com Subject: Re: SSL not required for setup.exe download In-Reply-To: References: <1a840c2e-55ac-0ab4-66c4-a1f6a2c4f81a@Shaw.ca> <41f12842-ea43-ff63-a660-26ee3b497c63@SystematicSw.ab.ca> <1b570593-0ec7-0890-26ef-7e7468534f47@SystematicSw.ab.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-IsSubscribed: yes X-SW-Source: 2019-03/txt/msg00269.txt.bz2 Greetings, Archie Cobbs! > On Mon, Mar 11, 2019 at 2:43 PM Brian Inglis >> On 2019-03-11 07:43, Archie Cobbs wrote: >> > On Sun, Mar 10, 2019 at 10:51 PM Brian Inglis wrote: >> >>>>> Is there any reason not to force this redirect and close this security hole? >> >> There are apparently reasons not to force this redirect as it can also cause a >> >> security hole. >> > That's really interesting. Can you provide more detail? >> >> Search for HTTP HTTPS redirection SSL stripping MitM attack > I did, but I only get results relating to the "stripping" attack, > which downgrades from HTTPS to HTTP. > Obviously that would cause a reduction in security... But what I'm > suggesting is the opposite: redirecting from HTTP to HTTPS. > How could that reduce security? > (sigh) > I must say I'm surprised so many people think it's a good idea to > leave cygwin open to trivial MITM attacks, which is the current state > of affairs. > This is my opinion only of course, but if cygwin wants to have any > security credibility, it should simply disallow non-SSL downloads of > setup.exe. Otherwise the chain of authenticity is broken forever. All the SSL stuff is build on idea of implicit unlimited trust. Which is way worse in my opinion, than any theoretical MITM attack, which is easily mitigated with proper validation of your downloads. It gives you false sense of security. What is worse, everybody is attempting to reassure this false sense on every possible occasion. P.S. Unrelated to the ongoing discussion, please teach your mail client to not quote raw email addresses. The mailing list is publicly archived. There's no pressing need to feed every spambot in existence with a new batch of fresh targets. -- With best regards, Andrey Repin Tuesday, March 12, 2019 3:11:28 Sorry for my terrible english... -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple