From: Lee <ler762@gmail.com>
To: cygwin@cygwin.com
Subject: Re: SSL not required for setup.exe download
Date: Tue, 12 Mar 2019 19:59:00 -0000 [thread overview]
Message-ID: <CAD8GWstONGL86FBAOsRf1w6ORDh3QawBDsuZDf+KQtAAR1_TVA@mail.gmail.com> (raw)
In-Reply-To: <CANSoFxu7sNUqP3zSKHiFULBrvOkhPFRuc8MyAHojAGFNu-O_xQ@mail.gmail.com>
On 3/12/19, Archie Cobbs wrote:
> On Mon, Mar 11, 2019 at 6:00 PM Lee wrote:
>> > I must say I'm surprised so many people think it's a good idea to
>> > leave cygwin open to trivial MITM attacks, which is the current state
>> > of affairs.
>>
>> But it's only open to a trivial MITM attack if the user types in
>> "http://cygwin.com" - correct? Why isn't the fix "don't do that"?
>
> Because security that rests on assuming humans will always do the
> correct thing has proven to be unreliable (understatement).
>
>> > This is my opinion only of course, but if cygwin wants to have any
>> > security credibility, it should simply disallow non-SSL downloads of
>> > setup.exe. Otherwise the chain of authenticity is broken forever.
>>
>> They sign setup.exe, so "the chain of authenticity" is there regardless.
>> https://cygwin.com/setup-x86_64.exe
>> https://cygwin.com/setup-x86_64.exe.sig
>
> I don't see your point.
>
> Downloading the sig file over HTTP is useless... any attacker going to
> the trouble to launch a MITM attack for setup.exe will certainly also
> do it for the sig file as well.
Have you ever used gpg? It tells you who signed the file:
$ gpg --verify cygwinSetup-x86_64.exe.sig cygwinSetup-x86_64.exe
gpg: Signature made Sun, Oct 21, 2018 12:02:34 PM EDT
gpg: using DSA key 0xA9A262FF676041BA
gpg: Good signature from "Cygwin <cygwin@cygwin.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5 9232 A9A2 62FF 6760 41BA
So even if someone was able to hijack cygwin.com, the files I
downloaded won't verify.
and yes.. gpg key usage tends to devolve to 'trust on first use' but
even so, it still seems better than most alternatives.
Regards,
Lee
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
next prev parent reply other threads:[~2019-03-12 19:59 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-10 4:54 Archie Cobbs
2019-03-10 13:35 ` Andrey Repin
2019-03-10 16:35 ` Archie Cobbs
2019-03-10 14:16 ` Brian Inglis
2019-03-10 16:40 ` Archie Cobbs
2019-03-11 3:51 ` Brian Inglis
2019-03-11 5:16 ` Mark Geisert
2019-03-11 11:50 ` Brian Inglis
2019-03-11 13:13 ` SSL should not be " L A Walsh
2019-03-11 13:44 ` SSL not " Archie Cobbs
2019-03-11 19:42 ` Brian Inglis
2019-03-11 22:14 ` Archie Cobbs
2019-03-11 22:59 ` Lee
2019-03-12 13:47 ` Archie Cobbs
2019-03-12 14:31 ` Brian Inglis
2019-03-12 14:58 ` Archie Cobbs
2019-03-15 12:25 ` Brian Inglis
2019-03-28 18:13 ` Erik Soderquist
2019-03-12 19:21 ` Achim Gratz
2019-03-12 19:59 ` Lee [this message]
2019-03-12 0:20 ` Andrey Repin
2019-03-12 19:45 ` Lee
2019-03-12 20:35 ` Andrey Repin
2019-03-12 21:14 ` Lee
2019-03-12 21:35 ` Andrey Repin
2019-03-12 22:01 ` Lee
2019-03-12 20:42 ` Achim Gratz
2019-03-12 21:32 ` Lee
2019-03-12 21:35 ` Andrey Repin
2019-03-12 21:50 ` Lee
2019-03-13 20:50 ` Andrey Repin
2019-03-11 20:24 ` SSL should not be required for open source downloading L A Walsh
2019-03-10 14:16 ` SSL not required for setup.exe download Brian Inglis
2019-03-10 23:20 ` L A Walsh
2019-03-11 3:53 ` Archie Cobbs
2019-03-11 13:13 ` Brian Inglis
2019-03-11 13:22 ` L A Walsh
2019-03-11 13:39 ` L A Walsh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAD8GWstONGL86FBAOsRf1w6ORDh3QawBDsuZDf+KQtAAR1_TVA@mail.gmail.com \
--to=ler762@gmail.com \
--cc=cygwin@cygwin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).