From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 59352 invoked by alias); 11 Mar 2019 22:59:41 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 59345 invoked by uid 89); 11 Mar 2019 22:59:41 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=1.6 required=5.0 tests=AWL,BAYES_00,EXECUTABLE_URI,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,KAM_EXEURI,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=no version=3.3.1 spammy=attack X-HELO: mail-qt1-f177.google.com Received: from mail-qt1-f177.google.com (HELO mail-qt1-f177.google.com) (209.85.160.177) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Mon, 11 Mar 2019 22:59:39 +0000 Received: by mail-qt1-f177.google.com with SMTP id z25so460993qti.13 for ; Mon, 11 Mar 2019 15:59:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=Sw6AImPJfbNqHAbezReOjPGUWt5GCiyZRG2eRt6ZEjI=; b=ieEq/G1aYpE/1WnSpkuuP8Mm7LNXKak2+0hWWU30rP2J+hzWM8mcdpiG0z7zRcObdT KQiEVy8/GudZfzoV8sW+ph+/AG4dyjuMuz4x7FazW7nTiYShGipdc58EhzoW7nQT4bEh Y1v1wOnhzK6IRb0WTnibZ/IuoN2WXzJze0N9IKYrk4N2bYh0c53jKf6oaGDDBv36e+Ar BlSdD9qWlbAiHtQbnqdy5VPVWjhKPzw2c0i+fb7G+xlkdCdWCTHyhFV+O8sIs3hp+AL5 c1TiX9FYPdZY1YK7gZosY76kAeBoFxYeMyyRQRwXNQyPy3cqSfLD7uMpxQ3ihf0Jn2xl rrOg== MIME-Version: 1.0 Received: by 2002:a0c:98ed:0:0:0:0:0 with HTTP; Mon, 11 Mar 2019 15:59:36 -0700 (PDT) In-Reply-To: References: <1a840c2e-55ac-0ab4-66c4-a1f6a2c4f81a@Shaw.ca> <41f12842-ea43-ff63-a660-26ee3b497c63@SystematicSw.ab.ca> <1b570593-0ec7-0890-26ef-7e7468534f47@SystematicSw.ab.ca> From: Lee Date: Mon, 11 Mar 2019 22:59:00 -0000 Message-ID: Subject: Re: SSL not required for setup.exe download To: cygwin@cygwin.com Content-Type: text/plain; charset="UTF-8" X-IsSubscribed: yes X-SW-Source: 2019-03/txt/msg00268.txt.bz2 On 3/11/19, Archie Cobbs wrote: > On Mon, Mar 11, 2019 at 2:43 PM Brian Inglis wrote: >> On 2019-03-11 07:43, Archie Cobbs wrote: >> > On Sun, Mar 10, 2019 at 10:51 PM Brian Inglis wrote: >> >>>>> Is there any reason not to force this redirect and close this >> >>>>> security hole? >> >> There are apparently reasons not to force this redirect as it can also >> >> cause a >> >> security hole. >> > That's really interesting. Can you provide more detail? >> >> Search for HTTP HTTPS redirection SSL stripping MitM attack > > I did, but I only get results relating to the "stripping" attack, > which downgrades from HTTPS to HTTP. > > Obviously that would cause a reduction in security... But what I'm > suggesting is the opposite: redirecting from HTTP to HTTPS. > > How could that reduce security? part of "security" is "availability". If whatever doing the download isn't able to do TLS then redirecting to https://cygwin.com makes cygwin.com unavailable. > (sigh) > > I must say I'm surprised so many people think it's a good idea to > leave cygwin open to trivial MITM attacks, which is the current state > of affairs. But it's only open to a trivial MITM attack if the user types in "http://cygwin.com" - correct? Why isn't the fix "don't do that"? > This is my opinion only of course, but if cygwin wants to have any > security credibility, it should simply disallow non-SSL downloads of > setup.exe. Otherwise the chain of authenticity is broken forever. They sign setup.exe, so "the chain of authenticity" is there regardless. https://cygwin.com/setup-x86_64.exe https://cygwin.com/setup-x86_64.exe.sig Regards, Lee -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple