From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 46730 invoked by alias); 12 Mar 2019 19:59:00 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 46723 invoked by uid 89); 12 Mar 2019 19:58:59 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=2.6 required=5.0 tests=AWL,BAYES_40,EXECUTABLE_URI,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,KAM_EXEURI,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=no version=3.3.1 spammy=certified, proven, sk:setup-x, setupx86_64exesig X-HELO: mail-qt1-f178.google.com Received: from mail-qt1-f178.google.com (HELO mail-qt1-f178.google.com) (209.85.160.178) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Tue, 12 Mar 2019 19:58:58 +0000 Received: by mail-qt1-f178.google.com with SMTP id z25so4020409qti.13 for ; Tue, 12 Mar 2019 12:58:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=aWjeQeS9MkOXRqM6YQrd7v1MHLPMdWre+JMrU/9i6ag=; b=guLzLca3qzr/aQ8J8nKXbPewqWyrkGren2P7Z4vYmUmsKQemlO0hzWkd1eUBSuAB6Z nKk6MGDAX9nku+ALqi9kPTN/kRUEpKKl8QcMkSYBtrAQi6nLpmB7ywdgB7XV82Aax9FF DZbJHUWRIR5tjEwDnuhcxZ2X12OIFZZ4wAHqnwRk3tqCQHyxwV9HRJ4ByY+CgoPEZyw8 DQI50i2+pEfJrOeyEXoZWvYmGhw7mu3dj8N5crNQDc72dTPBKv6gg7ypkqawC2xqlJ0Q iKc+b/yEHwk7xT5NV2Yx+5oGa8aFokyyj3hCiuVMs8jRfgDrqKKXqddYNc6PIw4+I83H 8GXA== MIME-Version: 1.0 Received: by 2002:a0c:98ed:0:0:0:0:0 with HTTP; Tue, 12 Mar 2019 12:58:54 -0700 (PDT) In-Reply-To: References: <1a840c2e-55ac-0ab4-66c4-a1f6a2c4f81a@Shaw.ca> <41f12842-ea43-ff63-a660-26ee3b497c63@SystematicSw.ab.ca> <1b570593-0ec7-0890-26ef-7e7468534f47@SystematicSw.ab.ca> From: Lee Date: Tue, 12 Mar 2019 19:59:00 -0000 Message-ID: Subject: Re: SSL not required for setup.exe download To: cygwin@cygwin.com Content-Type: text/plain; charset="UTF-8" X-IsSubscribed: yes X-SW-Source: 2019-03/txt/msg00310.txt.bz2 On 3/12/19, Archie Cobbs wrote: > On Mon, Mar 11, 2019 at 6:00 PM Lee wrote: >> > I must say I'm surprised so many people think it's a good idea to >> > leave cygwin open to trivial MITM attacks, which is the current state >> > of affairs. >> >> But it's only open to a trivial MITM attack if the user types in >> "http://cygwin.com" - correct? Why isn't the fix "don't do that"? > > Because security that rests on assuming humans will always do the > correct thing has proven to be unreliable (understatement). > >> > This is my opinion only of course, but if cygwin wants to have any >> > security credibility, it should simply disallow non-SSL downloads of >> > setup.exe. Otherwise the chain of authenticity is broken forever. >> >> They sign setup.exe, so "the chain of authenticity" is there regardless. >> https://cygwin.com/setup-x86_64.exe >> https://cygwin.com/setup-x86_64.exe.sig > > I don't see your point. > > Downloading the sig file over HTTP is useless... any attacker going to > the trouble to launch a MITM attack for setup.exe will certainly also > do it for the sig file as well. Have you ever used gpg? It tells you who signed the file: $ gpg --verify cygwinSetup-x86_64.exe.sig cygwinSetup-x86_64.exe gpg: Signature made Sun, Oct 21, 2018 12:02:34 PM EDT gpg: using DSA key 0xA9A262FF676041BA gpg: Good signature from "Cygwin " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5 9232 A9A2 62FF 6760 41BA So even if someone was able to hijack cygwin.com, the files I downloaded won't verify. and yes.. gpg key usage tends to devolve to 'trust on first use' but even so, it still seems better than most alternatives. Regards, Lee -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple