Re: SSL not required for setup.exe download

[L A Walsh <cygwin@tlinx.org>]

On 3/10/2019 8:53 PM, Archie Cobbs wrote:
> On Sun, Mar 10, 2019 at 6:20 PM L A Walsh <cygwin@tlinx.org> wrote:
>   
>>>> It would be safer if http://www.cygwin.com always redirected you to
>>>> https://www.cygwin.com, where the page and the link are SSL.
>>>> Is there any reason not to force this redirect and close this security hole?
>>>>         
>>     I think the point is that if you redirect and a client can't
>> speak https, what happens?  Wouldn't they get an error that would
>> prevent them from using the site?
>>     
>
> I guess so. Can you name any such client?
>   
---
    Depends on the site, but for several months my browser would get
an error if I tried to goto my distro's website.  They implemented
hsts, but were using an insecure encryption that my browser had
enabled.  So now I try to only use their unencrypted channels for
distro-download, among other things.
 
As for others, and companies, such information is proprietary. 
Why would people advertise they are
using a browser that doesn't speak the latest fad?  If you are
asking for a mainstream browser, forget it, you'd have to
write your own software or make changes in one.  But any browser that
is open source could be configured to disable https on non-sensitive
sites, though eventually, intercepting only encrypted material and
ensuring that the browsers honor well-known CA's, that have
had keys requested under government security letters that forbid
any spread of such interception will get them most of what they
want.

    It's all in the name of protecting the citizens, of course...and
the children: think of the children (yeah, a bit of hyperbole here,
but that doesn't mean it can't be true).





--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple