From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <cygwin-return-215858-listarch-cygwin=sourceware.org@cygwin.com>
Received: (qmail 109238 invoked by alias); 10 Mar 2019 04:54:44 -0000
Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe@cygwin.com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin@cygwin.com>
List-Help: <mailto:cygwin-help@cygwin.com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner@cygwin.com
Mail-Followup-To: cygwin@cygwin.com
Received: (qmail 109231 invoked by uid 89); 10 Mar 2019 04:54:44 -0000
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=-1.4 required=5.0 tests=AWL,BAYES_00,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.1 spammy=browser, attack, ssl, HX-Languages-Length:802
X-HELO: mail-vs1-f54.google.com
Received: from mail-vs1-f54.google.com (HELO mail-vs1-f54.google.com) (209.85.217.54) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Sun, 10 Mar 2019 04:54:43 +0000
Received: by mail-vs1-f54.google.com with SMTP id c189so866241vsd.9        for <cygwin@cygwin.com>; Sat, 09 Mar 2019 20:54:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;        d=gmail.com; s=20161025;        h=mime-version:from:date:message-id:subject:to;        bh=Cx340X+6ddNDK2PUlwyH8atzlcfoyPQmalKvA7s8rnk=;        b=fZRnVdcIdkKF6/6Pd3FUNGkouwKyrxRHBiv8V0D1aEfZPKK0CreDrltls0zbjpm+4v         eFSMlmmioEB7j5SldGbIxLIIaYDGKVyIL1XckvrQIxzK2Lj1Rkr6Ew82tOfzI6KLCqHc         Sjn9/Bsxn5VrJi1aUQ/sUpQUemww6uJqJtVZESrVr38ga6OaCLw/jatH1KTIRAXNTL0r         P7q1MKEmP2kfiHl9KcPY+xg/lcOafBzxK0jLWdahjBrk/UbXIhtAUCoIpmAHINsbK4sB         C2JAWMMKrT9S/xKdg3lvpgRzFEqKFkCCOdJQUhKe5DzABUIL3ZuzDIYhM/nXhNHPoh3x         IaKA==
MIME-Version: 1.0
From: Archie Cobbs <archie.cobbs@gmail.com>
Date: Sun, 10 Mar 2019 04:54:00 -0000
Message-ID: <CANSoFxtW0Jb1M5KfkFGGOxec_D8ysyYCrnk_PXWjHobLDXZauQ@mail.gmail.com>
Subject: SSL not required for setup.exe download
To: cygwin@cygwin.com
Content-Type: text/plain; charset="UTF-8"
X-IsSubscribed: yes
X-SW-Source: 2019-03/txt/msg00211.txt.bz2

The FAQ states:

    The Cygwin website provides the setup program (setup-x86.exe or
setup-x86_64.exe) using HTTPS (SSL/TLS).

While this is true, it's not mandatory.

If one happens to go to HTTP://www.cygwin.com instead of
HTTPS://www.cygwin.com, then neither the page you are viewing (which
contains the setup.exe download link), nor the setup.exe download link
itself are secured via SSL.

So someone who just types "cygwin.com" into the browser location bar
and clicks on the setup.exe link is vulnerable to a MTM attack.

It would be safer if http://www.cygwin.com always redirected you to
https://www.cygwin.com, where the page and the link are SSL.

Is there any reason not to force this redirect and close this security hole?

-Archie

--
Archie L. Cobbs

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple