From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 129565 invoked by alias); 10 Mar 2019 14:16:23 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 129558 invoked by uid 89); 10 Mar 2019 14:16:23 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-2.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=ham version=3.3.1 spammy=UD:ca, browser, compliant, supporting X-HELO: smtp-out-so.shaw.ca Received: from smtp-out-so.shaw.ca (HELO smtp-out-so.shaw.ca) (64.59.136.138) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Sun, 10 Mar 2019 14:16:21 +0000 Received: from [192.168.1.114] ([24.64.172.44]) by shaw.ca with ESMTP id 2zFShCFnkD1hy2zFThjFmU; Sun, 10 Mar 2019 08:16:19 -0600 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=shaw.ca; s=s20180605; t=1552227379; bh=5BVcd9gcj8XGA7mp52siTJxGOLpxXiEOf5vbdlN+Ih4=; h=Reply-To:Subject:To:References:From:Date:In-Reply-To; b=OOc8Ig7+QPTXSyLXEEW2UU6usA9tUFYfPo3dF7BswI0y1IB7duXbhpdtibvqvsCu7 koE/IcdWyKA1mAdpCZpgjRkZxQXL3Dq0FnjZeoyW+uvXeLZKunGe7THkU1tF6wMtyO idlUgiLqpSA3OB13AgMqNpsaRIArhGnW4C5TnSZwg0r7EiX6KgnJUdhBmCsQhahAjL CVXJBF2q1gtO1iM7JEC+po0cmxMEzkxHwjdULWMxwNjtZno4jcIteHZA1Xjg+kFc7S q+Rkkf+eV5O4CUSmPyyDCSn1bZYCVV6r8gpGVcFGnlzi+7id/gVHFhmfsGlJmeDSnT sMKc2DNbSA4MQ== Reply-To: Brian.Inglis@Shaw.ca Subject: Re: SSL not required for setup.exe download To: cygwin@cygwin.com References: From: Brian Inglis Openpgp: preference=signencrypt Message-ID: <1a840c2e-55ac-0ab4-66c4-a1f6a2c4f81a@Shaw.ca> Date: Sun, 10 Mar 2019 14:16:00 -0000 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.5.3 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-SW-Source: 2019-03/txt/msg00219.txt.bz2 On 2019-03-09 21:54, Archie Cobbs wrote: > The FAQ states: > The Cygwin website provides the setup program (setup-x86.exe or > setup-x86_64.exe) using HTTPS (SSL/TLS). > While this is true, it's not mandatory. > If one happens to go to HTTP://www.cygwin.com instead of > HTTPS://www.cygwin.com, then neither the page you are viewing (which > contains the setup.exe download link), nor the setup.exe download link > itself are secured via SSL. > So someone who just types "cygwin.com" into the browser location bar > and clicks on the setup.exe link is vulnerable to a MTM attack. > It would be safer if http://www.cygwin.com always redirected you to > https://www.cygwin.com, where the page and the link are SSL. > Is there any reason not to force this redirect and close this security hole? The whole sourceware.org site include cygwin.com uses HSTS which compliant supporting clients can use to switch to communicating over HTTPS. Clients which are not compliant or don't support HTTPS may still download the programs and files. -- Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada This email may be disturbing to some readers as it contains too much technical detail. Reader discretion is advised. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple