From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 78257 invoked by alias); 11 Mar 2019 11:50:36 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 78240 invoked by uid 89); 11 Mar 2019 11:50:36 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-2.8 required=5.0 tests=AWL,BAYES_00,RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 spammy= X-HELO: smtp-out-so.shaw.ca Received: from smtp-out-so.shaw.ca (HELO smtp-out-so.shaw.ca) (64.59.136.138) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Mon, 11 Mar 2019 11:50:34 +0000 Received: from [192.168.1.114] ([24.64.172.44]) by shaw.ca with ESMTP id 3JRsh42lgxI393JRuhRS69; Mon, 11 Mar 2019 05:50:32 -0600 Reply-To: Brian.Inglis@SystematicSw.ab.ca Subject: Re: SSL not required for setup.exe download To: cygwin@cygwin.com References: <1a840c2e-55ac-0ab4-66c4-a1f6a2c4f81a@Shaw.ca> <41f12842-ea43-ff63-a660-26ee3b497c63@SystematicSw.ab.ca> <3132c0de-2689-a270-b996-d309017ca815@maxrnd.com> Cc: sourcemaster@sourceware.org From: Brian Inglis Openpgp: preference=signencrypt Message-ID: <8d0f9c58-8304-7525-3b9e-0b8e92b1d697@SystematicSw.ab.ca> Date: Mon, 11 Mar 2019 11:50:00 -0000 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.5.3 MIME-Version: 1.0 In-Reply-To: <3132c0de-2689-a270-b996-d309017ca815@maxrnd.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-IsSubscribed: yes X-SW-Source: 2019-03/txt/msg00243.txt.bz2 On 2019-03-10 23:16, Mark Geisert wrote: > On 2019-03-10, Brian Inglis wrote: >> On 2019-03-10 10:40, Archie Cobbs wrote: >>> In any case, the problem I'm talking about is trivial to verify. Just >>> start up Chrome or Firefox and enter http://www.cygwin.com. You can >>> then confirm that (a) the page you are looking at has an http:// URL, >>> and (b) the link to setup.exe also has an http:// URL. Therefore, >>> there is no real security in this scenario. >> >> I only get to see https://www.cygwin.com/ YMMV > > FWIW, I can reproduce the OP's STC using Chrome, Firefox, and Pale Moon.  Not > sure why it happens for some folks but not others.  But since it does exist for > some users, should it be dealt with? It is possible that some of the clients on some of the systems accessing sourceware projects may not be capable of supporting HTTPS, TLS, or HSTS, so a permanent 301 redirection to HTTPS:443 may not be feasible. If the sourcemaster at sourceware.org dealt with the issues below: https://hstspreload.org/?domain=sourceware.org by changing the header from: Strict-Transport-Security: max-age=16070400 to: Strict-Transport-Security: max-age=16070400; includeSubDomains; preload it could be automatic soon in most major browsers using the Chromium/Mozilla preload list: https://github.com/chromium/hstspreload.org but some of us are currently redirected while others are not. I have probably been using HTTPS in browsers and scripts since it was supported by sourceware.org and cygwin.com. It looks like once browsers or clients have seen the HTTPS:443 STS header, or if a site is on a preload list, they redirect to HTTPS:443; if you use wget, check for ~/.wget-hsts which should contain {,www.}{cygwin.com,sourceware.org} if you used wget to access those sites. -- Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada This email may be disturbing to some readers as it contains too much technical detail. Reader discretion is advised. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple