From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 81039 invoked by alias); 10 Mar 2019 16:40:43 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 81027 invoked by uid 89); 10 Mar 2019 16:40:42 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-1.5 required=5.0 tests=AWL,BAYES_00,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.1 spammy=connections, supplying, scenario, HTo:D*ca X-HELO: mail-ua1-f42.google.com Received: from mail-ua1-f42.google.com (HELO mail-ua1-f42.google.com) (209.85.222.42) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Sun, 10 Mar 2019 16:40:41 +0000 Received: by mail-ua1-f42.google.com with SMTP id e15so759277uam.3 for ; Sun, 10 Mar 2019 09:40:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=R8x7Mq99ZhhrSqrGg7mpG4Iop4FBP6TEexmGnZimSY0=; b=negaZjTH6WwiSuu1CLCcYqJUvkxSTvK4K4HTwQpTpuOFOBOEp7BnF5ONTtV2esbU47 +DDREtUjZgExh152MG6LhauRC0AxTHuAwIsmlKDVtrIczX54vdgmLadIjVphwbhV2QQp 9AVkVmMsSRy8op0lZADTIjEE0tnJuHgORSkM4wJcbpO/S3W/gQEvdgYe6E1ESBCl76uC D989JNhtuXk4HaDvVDo27BGXHdwJ28HRP1S7nc4l/XI1BilD4s6ZuMcJNpE2YLrrc3iY ehphQqiPLEhEDC1nJTEXoLIG/0Xgg0ntd804QFpDZAJ76KYbNgRKrYyAxTf5qKmFwGHA nZag== MIME-Version: 1.0 References: <1a840c2e-55ac-0ab4-66c4-a1f6a2c4f81a@Shaw.ca> In-Reply-To: <1a840c2e-55ac-0ab4-66c4-a1f6a2c4f81a@Shaw.ca> From: Archie Cobbs Date: Sun, 10 Mar 2019 16:40:00 -0000 Message-ID: Subject: Re: SSL not required for setup.exe download To: Brian.Inglis@shaw.ca, cygwin@cygwin.com Content-Type: text/plain; charset="UTF-8" X-IsSubscribed: yes X-SW-Source: 2019-03/txt/msg00223.txt.bz2 Hi Brian, On Sun, Mar 10, 2019 at 9:16 AM Brian Inglis wrote: > > Is there any reason not to force this redirect and close this security hole? > > The whole sourceware.org site include cygwin.com uses HSTS which compliant > supporting clients can use to switch to communicating over HTTPS. > Clients which are not compliant or don't support HTTPS may still download the > programs and files. I don't see how HSTS solves the particular issue that I'm referring to. HSTS only applies to connections that are *already* using HTTPS. Quoting Wikipedia: HSTS mechanism overview A server implements an HSTS policy by supplying a header over an HTTPS connection (HSTS headers over HTTP are ignored). In any case, the problem I'm talking about is trivial to verify. Just start up Chrome or Firefox and enter http://www.cygwin.com. You can then confirm that (a) the page you are looking at has an http:// URL, and (b) the link to setup.exe also has an http:// URL. Therefore, there is no real security in this scenario. -Archie -- Archie L. Cobbs -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple