From: Brian Inglis <Brian.Inglis@SystematicSw.ab.ca>
To: cygwin@cygwin.com
Cc: sourcemaster@sourceware.org
Subject: Re: SSL not required for setup.exe download
Date: Mon, 11 Mar 2019 11:50:00 -0000 [thread overview]
Message-ID: <8d0f9c58-8304-7525-3b9e-0b8e92b1d697@SystematicSw.ab.ca> (raw)
In-Reply-To: <3132c0de-2689-a270-b996-d309017ca815@maxrnd.com>
On 2019-03-10 23:16, Mark Geisert wrote:
> On 2019-03-10, Brian Inglis wrote:
>> On 2019-03-10 10:40, Archie Cobbs wrote:
>>> In any case, the problem I'm talking about is trivial to verify. Just
>>> start up Chrome or Firefox and enter http://www.cygwin.com. You can
>>> then confirm that (a) the page you are looking at has an http:// URL,
>>> and (b) the link to setup.exe also has an http:// URL. Therefore,
>>> there is no real security in this scenario.
>>
>> I only get to see https://www.cygwin.com/ YMMV
>
> FWIW, I can reproduce the OP's STC using Chrome, Firefox, and Pale Moon. Not
> sure why it happens for some folks but not others. But since it does exist for
> some users, should it be dealt with?
It is possible that some of the clients on some of the systems accessing
sourceware projects may not be capable of supporting HTTPS, TLS, or HSTS, so a
permanent 301 redirection to HTTPS:443 may not be feasible.
If the sourcemaster at sourceware.org dealt with the issues below:
https://hstspreload.org/?domain=sourceware.org
by changing the header from:
Strict-Transport-Security: max-age=16070400
to:
Strict-Transport-Security: max-age=16070400; includeSubDomains; preload
it could be automatic soon in most major browsers using the Chromium/Mozilla
preload list:
https://github.com/chromium/hstspreload.org
but some of us are currently redirected while others are not.
I have probably been using HTTPS in browsers and scripts since it was supported
by sourceware.org and cygwin.com.
It looks like once browsers or clients have seen the HTTPS:443 STS header, or if
a site is on a preload list, they redirect to HTTPS:443; if you use wget, check
for ~/.wget-hsts which should contain {,www.}{cygwin.com,sourceware.org} if you
used wget to access those sites.
--
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada
This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
next prev parent reply other threads:[~2019-03-11 11:50 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-10 4:54 Archie Cobbs
2019-03-10 13:35 ` Andrey Repin
2019-03-10 16:35 ` Archie Cobbs
2019-03-10 14:16 ` Brian Inglis
2019-03-10 16:40 ` Archie Cobbs
2019-03-11 3:51 ` Brian Inglis
2019-03-11 5:16 ` Mark Geisert
2019-03-11 11:50 ` Brian Inglis [this message]
2019-03-11 13:13 ` SSL should not be " L A Walsh
2019-03-11 13:44 ` SSL not " Archie Cobbs
2019-03-11 19:42 ` Brian Inglis
2019-03-11 22:14 ` Archie Cobbs
2019-03-11 22:59 ` Lee
2019-03-12 13:47 ` Archie Cobbs
2019-03-12 14:31 ` Brian Inglis
2019-03-12 14:58 ` Archie Cobbs
2019-03-15 12:25 ` Brian Inglis
2019-03-28 18:13 ` Erik Soderquist
2019-03-12 19:21 ` Achim Gratz
2019-03-12 19:59 ` Lee
2019-03-12 0:20 ` Andrey Repin
2019-03-12 19:45 ` Lee
2019-03-12 20:35 ` Andrey Repin
2019-03-12 21:14 ` Lee
2019-03-12 21:35 ` Andrey Repin
2019-03-12 22:01 ` Lee
2019-03-12 20:42 ` Achim Gratz
2019-03-12 21:32 ` Lee
2019-03-12 21:35 ` Andrey Repin
2019-03-12 21:50 ` Lee
2019-03-13 20:50 ` Andrey Repin
2019-03-11 20:24 ` SSL should not be required for open source downloading L A Walsh
2019-03-10 14:16 ` SSL not required for setup.exe download Brian Inglis
2019-03-10 23:20 ` L A Walsh
2019-03-11 3:53 ` Archie Cobbs
2019-03-11 13:13 ` Brian Inglis
2019-03-11 13:22 ` L A Walsh
2019-03-11 13:39 ` L A Walsh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8d0f9c58-8304-7525-3b9e-0b8e92b1d697@SystematicSw.ab.ca \
--to=brian.inglis@systematicsw.ab.ca \
--cc=cygwin@cygwin.com \
--cc=sourcemaster@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).