From: Lee <ler762@gmail.com>
To: cygwin@cygwin.com
Subject: Re: SSL not required for setup.exe download
Date: Mon, 11 Mar 2019 22:59:00 -0000 [thread overview]
Message-ID: <CAD8GWsu+P_d8RCiibkZ068oRAf8yeu=W5CLFO+ZNXGxjUcBOpw@mail.gmail.com> (raw)
In-Reply-To: <CANSoFxsq+5OfRH7RF3QdpMSJU-4JAKSCZM-rUUysP5Y3myR0+Q@mail.gmail.com>
On 3/11/19, Archie Cobbs wrote:
> On Mon, Mar 11, 2019 at 2:43 PM Brian Inglis wrote:
>> On 2019-03-11 07:43, Archie Cobbs wrote:
>> > On Sun, Mar 10, 2019 at 10:51 PM Brian Inglis wrote:
>> >>>>> Is there any reason not to force this redirect and close this
>> >>>>> security hole?
>> >> There are apparently reasons not to force this redirect as it can also
>> >> cause a
>> >> security hole.
>> > That's really interesting. Can you provide more detail?
>>
>> Search for HTTP HTTPS redirection SSL stripping MitM attack
>
> I did, but I only get results relating to the "stripping" attack,
> which downgrades from HTTPS to HTTP.
>
> Obviously that would cause a reduction in security... But what I'm
> suggesting is the opposite: redirecting from HTTP to HTTPS.
>
> How could that reduce security?
part of "security" is "availability". If whatever doing the download
isn't able to do TLS then redirecting to https://cygwin.com makes
cygwin.com unavailable.
> (sigh)
>
> I must say I'm surprised so many people think it's a good idea to
> leave cygwin open to trivial MITM attacks, which is the current state
> of affairs.
But it's only open to a trivial MITM attack if the user types in
"http://cygwin.com" - correct? Why isn't the fix "don't do that"?
> This is my opinion only of course, but if cygwin wants to have any
> security credibility, it should simply disallow non-SSL downloads of
> setup.exe. Otherwise the chain of authenticity is broken forever.
They sign setup.exe, so "the chain of authenticity" is there regardless.
https://cygwin.com/setup-x86_64.exe
https://cygwin.com/setup-x86_64.exe.sig
Regards,
Lee
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
next prev parent reply other threads:[~2019-03-11 22:59 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-10 4:54 Archie Cobbs
2019-03-10 13:35 ` Andrey Repin
2019-03-10 16:35 ` Archie Cobbs
2019-03-10 14:16 ` Brian Inglis
2019-03-10 16:40 ` Archie Cobbs
2019-03-11 3:51 ` Brian Inglis
2019-03-11 5:16 ` Mark Geisert
2019-03-11 11:50 ` Brian Inglis
2019-03-11 13:13 ` SSL should not be " L A Walsh
2019-03-11 13:44 ` SSL not " Archie Cobbs
2019-03-11 19:42 ` Brian Inglis
2019-03-11 22:14 ` Archie Cobbs
2019-03-11 22:59 ` Lee [this message]
2019-03-12 13:47 ` Archie Cobbs
2019-03-12 14:31 ` Brian Inglis
2019-03-12 14:58 ` Archie Cobbs
2019-03-15 12:25 ` Brian Inglis
2019-03-28 18:13 ` Erik Soderquist
2019-03-12 19:21 ` Achim Gratz
2019-03-12 19:59 ` Lee
2019-03-12 0:20 ` Andrey Repin
2019-03-12 19:45 ` Lee
2019-03-12 20:35 ` Andrey Repin
2019-03-12 21:14 ` Lee
2019-03-12 21:35 ` Andrey Repin
2019-03-12 22:01 ` Lee
2019-03-12 20:42 ` Achim Gratz
2019-03-12 21:32 ` Lee
2019-03-12 21:35 ` Andrey Repin
2019-03-12 21:50 ` Lee
2019-03-13 20:50 ` Andrey Repin
2019-03-11 20:24 ` SSL should not be required for open source downloading L A Walsh
2019-03-10 14:16 ` SSL not required for setup.exe download Brian Inglis
2019-03-10 23:20 ` L A Walsh
2019-03-11 3:53 ` Archie Cobbs
2019-03-11 13:13 ` Brian Inglis
2019-03-11 13:22 ` L A Walsh
2019-03-11 13:39 ` L A Walsh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAD8GWsu+P_d8RCiibkZ068oRAf8yeu=W5CLFO+ZNXGxjUcBOpw@mail.gmail.com' \
--to=ler762@gmail.com \
--cc=cygwin@cygwin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).