From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 63889 invoked by alias); 11 Mar 2019 19:42:51 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 63782 invoked by uid 89); 11 Mar 2019 19:42:51 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-2.7 required=5.0 tests=AWL,BAYES_00,RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 spammy=HX-Languages-Length:1785, attack X-HELO: smtp-out-so.shaw.ca Received: from smtp-out-so.shaw.ca (HELO smtp-out-so.shaw.ca) (64.59.136.139) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Mon, 11 Mar 2019 19:42:49 +0000 Received: from [192.168.1.114] ([24.64.172.44]) by shaw.ca with ESMTP id 3QovhmERCCmfG3QowhY1vT; Mon, 11 Mar 2019 13:42:46 -0600 Reply-To: Brian.Inglis@SystematicSw.ab.ca Subject: Re: SSL not required for setup.exe download To: cygwin@cygwin.com References: <1a840c2e-55ac-0ab4-66c4-a1f6a2c4f81a@Shaw.ca> <41f12842-ea43-ff63-a660-26ee3b497c63@SystematicSw.ab.ca> From: Brian Inglis Openpgp: preference=signencrypt Message-ID: <1b570593-0ec7-0890-26ef-7e7468534f47@SystematicSw.ab.ca> Date: Mon, 11 Mar 2019 19:42:00 -0000 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.5.3 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-IsSubscribed: yes X-SW-Source: 2019-03/txt/msg00255.txt.bz2 On 2019-03-11 07:43, Archie Cobbs wrote: > On Sun, Mar 10, 2019 at 10:51 PM Brian Inglis wrote: >>>>> Is there any reason not to force this redirect and close this security hole? >> There are apparently reasons not to force this redirect as it can also cause a >> security hole. > That's really interesting. Can you provide more detail? Search for HTTP HTTPS redirection SSL stripping MitM attack >>>> The whole sourceware.org site include cygwin.com uses HSTS which compliant >>>> supporting clients can use to switch to communicating over HTTPS. >>>> Clients which are not compliant or don't support HTTPS may still download the >>>> programs and files. >>> I don't see how HSTS solves the particular issue that I'm referring to. >> HSTS redirects requests from port 80 to 443 (HTTPS). > Not for me. Well, actually I'm getting inconsistent results... > On Mac OS X, neither Firefox, Chrome nor Safari will redirect to SSL. > On an old Windows 7 system, neither IE 8 (no surprise there) or Chrome > redirects. > However, with Chrome, it does not redirect at first, but once I've > manually entered https://www.cygwin.com it seems to "realize" that a > secure site exists, and after that it starts redirecting to SSL. > I can revert that behavior by clearing the cache. > So it seems in the case of Chrome, it has to be "taught" about the > existence of the secure site... which of course takes us right back to > the original problem. Some sites, proxies, and CDNs respond with HTTP/1.0 302 Found and redirects to HTTPS:443 followed by the HTTP header. -- Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada This email may be disturbing to some readers as it contains too much technical detail. Reader discretion is advised. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple