From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 29106 invoked by alias); 11 Mar 2019 20:24:58 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 29098 invoked by uid 89); 11 Mar 2019 20:24:58 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-6.0 required=5.0 tests=AWL,BAYES_00,GIT_PATCH_2 autolearn=ham version=3.3.1 spammy=behaviors, Somehow, site X-HELO: Ishtar.sc.tlinx.org Received: from ishtar.tlinx.org (HELO Ishtar.sc.tlinx.org) (173.164.175.65) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Mon, 11 Mar 2019 20:24:57 +0000 Received: from [192.168.3.12] (Athenae [192.168.3.12]) by Ishtar.sc.tlinx.org (8.14.7/8.14.4/SuSE Linux 0.8) with ESMTP id x2BKOrA9078019; Mon, 11 Mar 2019 13:24:55 -0700 Message-ID: <5C86C415.3000807@tlinx.org> Date: Mon, 11 Mar 2019 20:24:00 -0000 From: L A Walsh User-Agent: Thunderbird MIME-Version: 1.0 To: archie.cobbs@gmail.com CC: cygwin@cygwin.com Subject: Re: SSL should not be required for open source downloading References: <1a840c2e-55ac-0ab4-66c4-a1f6a2c4f81a@Shaw.ca> <41f12842-ea43-ff63-a660-26ee3b497c63@SystematicSw.ab.ca> In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-IsSubscribed: yes X-SW-Source: 2019-03/txt/msg00256.txt.bz2 On 3/11/2019 6:43 AM, Archie Cobbs wrote: > On Sun, Mar 10, 2019 at 10:51 PM Brian Inglis > wrote: > >>>>> Is there any reason not to force this redirect and close this security hole? >>>>> >> There are apparently reasons not to force this redirect as it can also cause a >> security hole. >> > > That's really interesting. Can you provide more detail? > I know that was directed at Brian, but... Because if the assumption is that the site uses https or will redirect it, then to start the session the client would send startTLS parameters. If it so happens that part of the site, does not use https, then an attacker could grab those initial parameters. Somehow providing "opensource" binaries doesn't seem like the type of thing that needs or should even have encryption. > >>>> The whole sourceware.org site include cygwin.com uses HSTS which compliant supporting clients can use to switch to communicating over HTTPS. Clients which are not compliant or don't support HTTPS may still download the programs and files. >>>> >>> I don't see how HSTS solves the particular issue that I'm referring to. >>> >> HSTS redirects requests from port 80 to 443 (HTTPS). >> > > Not for me. Well, actually I'm getting inconsistent results... > On Mac OS X, neither Firefox, Chrome nor Safari will redirect to SSL. > FWIW, apple customizes their library behaviors and doesn't always follow the standards. > On an old Windows 7 system, neither IE 8 (no surprise there) or Chrome > redirects. > --- HSTS is only set from HTTPS. If you only access the site in cleartext, that is what you will get. If you don't understand HSTS, perhaps reading and understanding the document would be good before promoting it -- just sayin'. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple