From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 76988 invoked by alias); 12 Mar 2019 20:35:09 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 76980 invoked by uid 89); 12 Mar 2019 20:35:09 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-0.7 required=5.0 tests=BAYES_00,FREEMAIL_FROM,KAM_THEBAT,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=no version=3.3.1 spammy=UD:ru, terrible, H*M:yandex, H*RU:sk:forward X-HELO: forward100j.mail.yandex.net Received: from forward100j.mail.yandex.net (HELO forward100j.mail.yandex.net) (5.45.198.240) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Tue, 12 Mar 2019 20:35:06 +0000 Received: from mxback17g.mail.yandex.net (mxback17g.mail.yandex.net [IPv6:2a02:6b8:0:1472:2741:0:8b7:317]) by forward100j.mail.yandex.net (Yandex) with ESMTP id E235350E1129; Tue, 12 Mar 2019 23:35:02 +0300 (MSK) Received: from smtp1o.mail.yandex.net (smtp1o.mail.yandex.net [2a02:6b8:0:1a2d::25]) by mxback17g.mail.yandex.net (nwsmtp/Yandex) with ESMTP id Iq9zw1urdM-Z2ZK6MmV; Tue, 12 Mar 2019 23:35:02 +0300 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1552422902; bh=TrXc0QYGJiB6NsjMT88VIqa/dMat9K0ANqMIiPtR/R0=; h=In-Reply-To:Subject:To:Reply-To:From:Message-ID:References:Date; b=lz0/rQc/B2JToBlpY8coQKrgwiZA/QqiX7ugIE7kCkEcc955I+/3tpPJ+1Hve4IF+ nyEt0nXDVZQZ4bctIyHIgk8c8bHrnsP+xwSutn6z//y5GTwEklJ2QTuBXFRhp5npCs w/P2wZbLQkVNaA0qwbmwbbkbfwIExMUqOY3JfzYo= Authentication-Results: mxback17g.mail.yandex.net; dkim=pass header.i=@yandex.ru Received: by smtp1o.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id tLlcjmU0OD-Z1X43SYD; Tue, 12 Mar 2019 23:35:01 +0300 (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (Client certificate not present) Received: from [192.168.1.10] (HELO daemon2.darkdragon.lan) by daemon2 (Office Mail Server 0.8.12 build 08053101) with SMTP; Tue, 12 Mar 2019 20:33:40 -0000 Date: Tue, 12 Mar 2019 20:35:00 -0000 From: Andrey Repin Reply-To: cygwin@cygwin.com Message-ID: <1715197846.20190312233340@yandex.ru> To: Lee , cygwin@cygwin.com Subject: Re: SSL not required for setup.exe download In-Reply-To: References: <1a840c2e-55ac-0ab4-66c4-a1f6a2c4f81a@Shaw.ca> <41f12842-ea43-ff63-a660-26ee3b497c63@SystematicSw.ab.ca> <1b570593-0ec7-0890-26ef-7e7468534f47@SystematicSw.ab.ca> <1406950005.20190312031618@yandex.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-IsSubscribed: yes X-SW-Source: 2019-03/txt/msg00312.txt.bz2 Greetings, Lee! >> Which is way worse in my opinion, than any theoretical MITM attack, which >> is easily mitigated with proper validation of your downloads. > Serious question - exactly how does one do "proper validation of your > downloads"? Use PGP signature to validate the installer. Use separate channel to obtain trust records for PGP key used in signing. And not blindly trust "supposedly-secure" connections. -- With best regards, Andrey Repin Tuesday, March 12, 2019 23:31:45 Sorry for my terrible english... -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple