From: Lee <ler762@gmail.com>
To: cygwin@cygwin.com
Subject: Re: SSL not required for setup.exe download
Date: Tue, 12 Mar 2019 19:45:00 -0000 [thread overview]
Message-ID: <CAD8GWsv=R+G5P9_fNvMvC1+txqPELr=5s3R38jiPyCUj0AcTFg@mail.gmail.com> (raw)
In-Reply-To: <1406950005.20190312031618@yandex.ru>
On 3/11/19, Andrey Repin wrote:
> Greetings, Archie Cobbs!
>
>> I must say I'm surprised so many people think it's a good idea to
>> leave cygwin open to trivial MITM attacks, which is the current state
>> of affairs.
>
>> This is my opinion only of course, but if cygwin wants to have any
>> security credibility, it should simply disallow non-SSL downloads of
>> setup.exe. Otherwise the chain of authenticity is broken forever.
>
> All the SSL stuff is build on idea of implicit unlimited trust.
I agree, the whole certificate authority bit seems to .. over-promise.
On the other hand, it does also seems to "raise the bar" making it
much more difficult to snoop or alter data in transit.
> Which is way worse in my opinion, than any theoretical MITM attack, which
> is easily mitigated with proper validation of your downloads.
Serious question - exactly how does one do "proper validation of your
downloads"?
For example, I don't have the current version of 7-zip
https://www.7-zip.org/
has a download link, but I don't see anything for a .sig, checksum or anything.
https://sourceforge.net/projects/sevenzip/files/7-Zip/19.00/
isn't any better.
It seems to me that the best I can do is make sure I do the download
via an https:// link
> It gives you false sense of security. What is worse, everybody is
> attempting
> to reassure this false sense on every possible occasion.
I don't think it's a false sense of security. https:// isn't "safe"
but it is _safer_ than http://
Regards,
Lee
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
next prev parent reply other threads:[~2019-03-12 19:45 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-10 4:54 Archie Cobbs
2019-03-10 13:35 ` Andrey Repin
2019-03-10 16:35 ` Archie Cobbs
2019-03-10 14:16 ` Brian Inglis
2019-03-10 23:20 ` L A Walsh
2019-03-11 3:53 ` Archie Cobbs
2019-03-11 13:13 ` Brian Inglis
2019-03-11 13:22 ` L A Walsh
2019-03-11 13:39 ` L A Walsh
2019-03-10 14:16 ` Brian Inglis
2019-03-10 16:40 ` Archie Cobbs
2019-03-11 3:51 ` Brian Inglis
2019-03-11 5:16 ` Mark Geisert
2019-03-11 11:50 ` Brian Inglis
2019-03-11 13:13 ` SSL should not be " L A Walsh
2019-03-11 13:44 ` SSL not " Archie Cobbs
2019-03-11 19:42 ` Brian Inglis
2019-03-11 22:14 ` Archie Cobbs
2019-03-11 22:59 ` Lee
2019-03-12 13:47 ` Archie Cobbs
2019-03-12 14:31 ` Brian Inglis
2019-03-12 14:58 ` Archie Cobbs
2019-03-15 12:25 ` Brian Inglis
2019-03-28 18:13 ` Erik Soderquist
2019-03-12 19:21 ` Achim Gratz
2019-03-12 19:59 ` Lee
2019-03-12 0:20 ` Andrey Repin
2019-03-12 19:45 ` Lee [this message]
2019-03-12 20:35 ` Andrey Repin
2019-03-12 21:14 ` Lee
2019-03-12 21:35 ` Andrey Repin
2019-03-12 22:01 ` Lee
2019-03-12 20:42 ` Achim Gratz
2019-03-12 21:32 ` Lee
2019-03-12 21:35 ` Andrey Repin
2019-03-12 21:50 ` Lee
2019-03-13 20:50 ` Andrey Repin
2019-03-11 20:24 ` SSL should not be required for open source downloading L A Walsh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAD8GWsv=R+G5P9_fNvMvC1+txqPELr=5s3R38jiPyCUj0AcTFg@mail.gmail.com' \
--to=ler762@gmail.com \
--cc=cygwin@cygwin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).