From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 27186 invoked by alias); 11 Mar 2019 13:44:14 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 27179 invoked by uid 89); 11 Mar 2019 13:44:14 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-1.5 required=5.0 tests=AWL,BAYES_00,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.1 spammy=clearing, site X-HELO: mail-ua1-f46.google.com Received: from mail-ua1-f46.google.com (HELO mail-ua1-f46.google.com) (209.85.222.46) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Mon, 11 Mar 2019 13:44:12 +0000 Received: by mail-ua1-f46.google.com with SMTP id e15so1522206uam.3 for ; Mon, 11 Mar 2019 06:44:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=lZmADirGwWfQ0RxtEHm71ymwyLKnikxMD7pKg/NgVys=; b=eB+pCj/EIU9+6Oi0zeaQQfuof1ptjY7BgKk/udoyC8taWKkLQKdVhbVpo7iFJHSKn4 pNhDUO1e4KGmFJfn5yufoCH8kIVwP1liz68YFKSxc1HxbcBMNISiE7+MuikDCr2k97CM 1uJ+EdDSZW2Jdpj4D76dwzYydW9juXMcuJTpmpL+gMYS31uqSsqtqoPbbjezakjSuiQ3 AVve2KGdTJe8SpiBmc7Q5NsMIAiTmTXDo7Q7lATAzrW1AzyD7QTVAb5sX/t+8NmPkJdg gZz/K7pCt6WIxHxeg9kYRFe9Ygp/f8wa5rKVsb+0Hm8ovSRGzMVdyHprTUnPzGOFEMuL 5gRQ== MIME-Version: 1.0 References: <1a840c2e-55ac-0ab4-66c4-a1f6a2c4f81a@Shaw.ca> <41f12842-ea43-ff63-a660-26ee3b497c63@SystematicSw.ab.ca> In-Reply-To: <41f12842-ea43-ff63-a660-26ee3b497c63@SystematicSw.ab.ca> From: Archie Cobbs Date: Mon, 11 Mar 2019 13:44:00 -0000 Message-ID: Subject: Re: SSL not required for setup.exe download To: Brian.Inglis@systematicsw.ab.ca, cygwin@cygwin.com Content-Type: text/plain; charset="UTF-8" X-IsSubscribed: yes X-SW-Source: 2019-03/txt/msg00250.txt.bz2 On Sun, Mar 10, 2019 at 10:51 PM Brian Inglis wrote: > >>> Is there any reason not to force this redirect and close this security hole? > > There are apparently reasons not to force this redirect as it can also cause a > security hole. That's really interesting. Can you provide more detail? > >> The whole sourceware.org site include cygwin.com uses HSTS which compliant > >> supporting clients can use to switch to communicating over HTTPS. > >> Clients which are not compliant or don't support HTTPS may still download the > >> programs and files. > > > > I don't see how HSTS solves the particular issue that I'm referring to. > > HSTS redirects requests from port 80 to 443 (HTTPS). Not for me. Well, actually I'm getting inconsistent results... On Mac OS X, neither Firefox, Chrome nor Safari will redirect to SSL. On an old Windows 7 system, neither IE 8 (no surprise there) or Chrome redirects. However, with Chrome, it does not redirect at first, but once I've manually entered https://www.cygwin.com it seems to "realize" that a secure site exists, and after that it starts redirecting to SSL. I can revert that behavior by clearing the cache. So it seems in the case of Chrome, it has to be "taught" about the existence of the secure site... which of course takes us right back to the original problem. -AC -- Archie L. Cobbs -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple