From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 4017 invoked by alias); 11 Mar 2019 13:22:54 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 3658 invoked by uid 89); 11 Mar 2019 13:22:54 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-6.1 required=5.0 tests=AWL,BAYES_00,GIT_PATCH_2 autolearn=ham version=3.3.1 spammy=ensuring, well-known, wellknown, citizens X-HELO: Ishtar.sc.tlinx.org Received: from ishtar.tlinx.org (HELO Ishtar.sc.tlinx.org) (173.164.175.65) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Mon, 11 Mar 2019 13:22:52 +0000 Received: from [192.168.3.12] (Athenae [192.168.3.12]) by Ishtar.sc.tlinx.org (8.14.7/8.14.4/SuSE Linux 0.8) with ESMTP id x2BDMmqR047761; Mon, 11 Mar 2019 06:22:51 -0700 Message-ID: <5C866129.1090605@tlinx.org> Date: Mon, 11 Mar 2019 13:22:00 -0000 From: L A Walsh User-Agent: Thunderbird MIME-Version: 1.0 To: archie.cobbs@gmail.com CC: cygwin@cygwin.com Subject: Re: SSL not required for setup.exe download References: <5C859BB7.4040900@tlinx.org> In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-IsSubscribed: yes X-SW-Source: 2019-03/txt/msg00248.txt.bz2 On 3/10/2019 8:53 PM, Archie Cobbs wrote: > On Sun, Mar 10, 2019 at 6:20 PM L A Walsh wrote: > >>>> It would be safer if http://www.cygwin.com always redirected you to >>>> https://www.cygwin.com, where the page and the link are SSL. >>>> Is there any reason not to force this redirect and close this security hole? >>>> >> I think the point is that if you redirect and a client can't >> speak https, what happens? Wouldn't they get an error that would >> prevent them from using the site? >> > > I guess so. Can you name any such client? > --- Depends on the site, but for several months my browser would get an error if I tried to goto my distro's website. They implemented hsts, but were using an insecure encryption that my browser had enabled. So now I try to only use their unencrypted channels for distro-download, among other things. As for others, and companies, such information is proprietary. Why would people advertise they are using a browser that doesn't speak the latest fad? If you are asking for a mainstream browser, forget it, you'd have to write your own software or make changes in one. But any browser that is open source could be configured to disable https on non-sensitive sites, though eventually, intercepting only encrypted material and ensuring that the browsers honor well-known CA's, that have had keys requested under government security letters that forbid any spread of such interception will get them most of what they want. It's all in the name of protecting the citizens, of course...and the children: think of the children (yeah, a bit of hyperbole here, but that doesn't mean it can't be true). -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple