From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <cygwin-return-215876-listarch-cygwin=sourceware.org@cygwin.com>
Received: (qmail 926 invoked by alias); 10 Mar 2019 23:20:27 -0000
Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe@cygwin.com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin@cygwin.com>
List-Help: <mailto:cygwin-help@cygwin.com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner@cygwin.com
Mail-Followup-To: cygwin@cygwin.com
Received: (qmail 919 invoked by uid 89); 10 Mar 2019 23:20:27 -0000
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=-5.7 required=5.0 tests=AWL,BAYES_00,GIT_PATCH_2 autolearn=ham version=3.3.1 spammy=harder, Google, google, site
X-HELO: Ishtar.sc.tlinx.org
Received: from ishtar.tlinx.org (HELO Ishtar.sc.tlinx.org) (173.164.175.65) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Sun, 10 Mar 2019 23:20:26 +0000
Received: from [192.168.3.12] (Athenae [192.168.3.12])	by Ishtar.sc.tlinx.org (8.14.7/8.14.4/SuSE Linux 0.8) with ESMTP id x2ANKMAE073871	for <cygwin@cygwin.com>; Sun, 10 Mar 2019 16:20:25 -0700
Message-ID: <5C859BB7.4040900@tlinx.org>
Date: Sun, 10 Mar 2019 23:20:00 -0000
From: L A Walsh <cygwin@tlinx.org>
User-Agent: Thunderbird
MIME-Version: 1.0
To: cygwin@cygwin.com
Subject: Re: SSL not required for setup.exe download
References: <CANSoFxtW0Jb1M5KfkFGGOxec_D8ysyYCrnk_PXWjHobLDXZauQ@mail.gmail.com> <fcfccbe3-a4e3-2f75-a2f4-23d12abc5a70@SystematicSw.ab.ca>
In-Reply-To: <fcfccbe3-a4e3-2f75-a2f4-23d12abc5a70@SystematicSw.ab.ca>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-IsSubscribed: yes
X-SW-Source: 2019-03/txt/msg00229.txt.bz2

On 3/10/2019 7:16 AM, Brian Inglis wrote:
> On 2019-03-09 21:54, Archie Cobbs wrote:
>> It would be safer if http://www.cygwin.com always redirected you to
>> https://www.cygwin.com, where the page and the link are SSL.
>> Is there any reason not to force this redirect and close this security hole?
>>     
----
    I think the point is that if you redirect and a client can't
speak https, what happens?  Wouldn't they get an error that would
prevent them from using the site?

    Google has a vested interest in getting people locked in on
https -- makes it much harder for people to use proxies and lower
their requests to google and for them to block some requests.  They get
to control what you get -- not you.

>
> The whole sourceware.org site include cygwin.com uses HSTS which compliant
> supporting clients can use to switch to communicating over HTTPS.
> Clients which are not compliant or don't support HTTPS may still download the
> programs and files.
>
>   

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple