From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 57994 invoked by alias); 10 Mar 2019 13:35:15 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 57984 invoked by uid 89); 10 Mar 2019 13:35:15 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=1.2 required=5.0 tests=BAYES_20,FREEMAIL_FROM,KAM_THEBAT,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=no version=3.3.1 spammy=HX-Priority:Normal, UD:ru, english, Sunday X-HELO: forward103j.mail.yandex.net Received: from forward103j.mail.yandex.net (HELO forward103j.mail.yandex.net) (5.45.198.246) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Sun, 10 Mar 2019 13:35:12 +0000 Received: from mxback13g.mail.yandex.net (mxback13g.mail.yandex.net [IPv6:2a02:6b8:0:1472:2741:0:8b7:92]) by forward103j.mail.yandex.net (Yandex) with ESMTP id 2FAB16740DFE; Sun, 10 Mar 2019 16:35:09 +0300 (MSK) Received: from smtp3o.mail.yandex.net (smtp3o.mail.yandex.net [2a02:6b8:0:1a2d::27]) by mxback13g.mail.yandex.net (nwsmtp/Yandex) with ESMTP id jppXBfEuQF-Z82iLnJU; Sun, 10 Mar 2019 16:35:09 +0300 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1552224909; bh=2tRsrupa3NmTcYfUQVHd4ILe5CBrkmGASqbtenbbYwo=; h=In-Reply-To:Subject:To:Reply-To:From:Message-ID:References:Date; b=vx0ztPBim2Pdkhq8il82GIVvDH59fRldAbZNLKK0KdunezbhBOiWZ6Yb0cI81T05f OxKc7aEdj17RQoeA2zl0zZ3zYaUUIIjiWXM0tGE/njKsD5PbxhZTDQ8mxzpe4NfDl1 Eu6kWxHdxRhzr7xmPI6Qr8W0oVpPQrAhYFByJG2M= Authentication-Results: mxback13g.mail.yandex.net; dkim=pass header.i=@yandex.ru Received: by smtp3o.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id aVC44VfSBF-Z8JiGxev; Sun, 10 Mar 2019 16:35:08 +0300 (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (Client certificate not present) Received: from [192.168.1.10] (HELO daemon2.darkdragon.lan) by daemon2 (Office Mail Server 0.8.12 build 08053101) with SMTP; Sun, 10 Mar 2019 13:29:57 -0000 Date: Sun, 10 Mar 2019 13:35:00 -0000 From: Andrey Repin Reply-To: cygwin@cygwin.com Message-ID: <924339539.20190310162957@yandex.ru> To: Archie Cobbs , cygwin@cygwin.com Subject: Re: SSL not required for setup.exe download In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-IsSubscribed: yes X-SW-Source: 2019-03/txt/msg00216.txt.bz2 Greetings, Archie Cobbs! > The FAQ states: > The Cygwin website provides the setup program (setup-x86.exe or > setup-x86_64.exe) using HTTPS (SSL/TLS). > While this is true, it's not mandatory. > If one happens to go to HTTP://www.cygwin.com instead of > HTTPS://www.cygwin.com, then neither the page you are viewing (which > contains the setup.exe download link), nor the setup.exe download link > itself are secured via SSL. > So someone who just types "cygwin.com" into the browser location bar > and clicks on the setup.exe link is vulnerable to a MTM attack. > It would be safer if http://www.cygwin.com always redirected you to > https://www.cygwin.com, where the page and the link are SSL. > Is there any reason not to force this redirect and close this security hole? If you care that much, you would use https. If not, then I see no reason to bend to hysteric crowd. -- With best regards, Andrey Repin Sunday, March 10, 2019 16:29:01 Sorry for my terrible english... -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple