From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 71927 invoked by alias); 11 Mar 2019 22:14:26 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 71916 invoked by uid 89); 11 Mar 2019 22:14:26 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-1.6 required=5.0 tests=AWL,BAYES_00,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.1 spammy=attacks, attack X-HELO: mail-vk1-f182.google.com Received: from mail-vk1-f182.google.com (HELO mail-vk1-f182.google.com) (209.85.221.182) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Mon, 11 Mar 2019 22:14:24 +0000 Received: by mail-vk1-f182.google.com with SMTP id j195so174877vkj.9 for ; Mon, 11 Mar 2019 15:14:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=iMdS0YrAOsjuxKkUs4eteSlhFDkaWwJMWl+Vrq+J61U=; b=NE74Sqqxg6lZDRAGMJnQKwIAY0y0DudAN9uV5bLZWNnN+DZQqJneg2TqoA5cIHZaEy NvZOjRoOTkRkfQryT2tSr/8v6dRidiBvTlZGv1XcJWQiOEV0OQ/W/CCt9d5Etk0+qw6g gjZB3NTN8NMkAaYjxyaWK0owIIRluBtNwH2f7R7f486nEuW4eo0winzmBziYBoQaFF0X hNVC7NSJ7JqOvvKNkQOIcJd1MKXWRli8/FHAvaX4FgN7y2YHgCCfvlkllz0qo++R/71L TxIr7+M/b+nkWkeKR/ndg0FpUK0/jFdjGEXU6ptFjmr9cSZcgW9srN4vo79LMOivrRyT /yzA== MIME-Version: 1.0 References: <1a840c2e-55ac-0ab4-66c4-a1f6a2c4f81a@Shaw.ca> <41f12842-ea43-ff63-a660-26ee3b497c63@SystematicSw.ab.ca> <1b570593-0ec7-0890-26ef-7e7468534f47@SystematicSw.ab.ca> In-Reply-To: <1b570593-0ec7-0890-26ef-7e7468534f47@SystematicSw.ab.ca> From: Archie Cobbs Date: Mon, 11 Mar 2019 22:14:00 -0000 Message-ID: Subject: Re: SSL not required for setup.exe download To: Brian.Inglis@systematicsw.ab.ca, cygwin@cygwin.com Content-Type: text/plain; charset="UTF-8" X-IsSubscribed: yes X-SW-Source: 2019-03/txt/msg00267.txt.bz2 On Mon, Mar 11, 2019 at 2:43 PM Brian Inglis wrote: > On 2019-03-11 07:43, Archie Cobbs wrote: > > On Sun, Mar 10, 2019 at 10:51 PM Brian Inglis wrote: > >>>>> Is there any reason not to force this redirect and close this security hole? > >> There are apparently reasons not to force this redirect as it can also cause a > >> security hole. > > That's really interesting. Can you provide more detail? > > Search for HTTP HTTPS redirection SSL stripping MitM attack I did, but I only get results relating to the "stripping" attack, which downgrades from HTTPS to HTTP. Obviously that would cause a reduction in security... But what I'm suggesting is the opposite: redirecting from HTTP to HTTPS. How could that reduce security? (sigh) I must say I'm surprised so many people think it's a good idea to leave cygwin open to trivial MITM attacks, which is the current state of affairs. This is my opinion only of course, but if cygwin wants to have any security credibility, it should simply disallow non-SSL downloads of setup.exe. Otherwise the chain of authenticity is broken forever. -AC -- Archie L. Cobbs -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple