From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 122040 invoked by alias); 12 Mar 2019 13:47:52 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 122032 invoked by uid 89); 12 Mar 2019 13:47:51 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=0.7 required=5.0 tests=AWL,BAYES_00,EXECUTABLE_URI,FREEMAIL_FROM,KAM_EXEURI,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=no version=3.3.1 spammy=attack X-HELO: mail-vk1-f169.google.com Received: from mail-vk1-f169.google.com (HELO mail-vk1-f169.google.com) (209.85.221.169) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Tue, 12 Mar 2019 13:47:50 +0000 Received: by mail-vk1-f169.google.com with SMTP id j195so648161vkj.9 for ; Tue, 12 Mar 2019 06:47:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=SVuxzVec8BwyMM8otDiKHat4bfQf0zo51D8pygO1F2k=; b=SaAwo/BwQ++pXzhQAZDp2d8RY9lAU+XzEJ6letZjeH752vu0IvYqtVqn+2ZCZ8+bWo PtKXX5bxLAgzLN+n/34kKYdhojpgf5GbkXI439RIRshjvoXlUSFJmfkRouewuFUaWz3B TAnt2922fRG6Qs8XWhE/kUVOeNgO3RG5yG9bdKzX/ElKPuozBa4pUrQx5P/n552n1A0k /H51aG3xaWu/aCDyU4lly3NhCHcwOrRBa3mVZyNnPA40+bNnHYx1yxzvYs0gEly2n2gl 2lHsZNcx2YTgVRc/X1Pi+I4oGv7DsPP0V+78XgVzofPiP+QJE/4HsqzLKzTRSE1pql08 uQ2A== MIME-Version: 1.0 References: <1a840c2e-55ac-0ab4-66c4-a1f6a2c4f81a@Shaw.ca> <41f12842-ea43-ff63-a660-26ee3b497c63@SystematicSw.ab.ca> <1b570593-0ec7-0890-26ef-7e7468534f47@SystematicSw.ab.ca> In-Reply-To: From: Archie Cobbs Date: Tue, 12 Mar 2019 13:47:00 -0000 Message-ID: Subject: Re: SSL not required for setup.exe download To: cygwin@cygwin.com Content-Type: text/plain; charset="UTF-8" X-IsSubscribed: yes X-SW-Source: 2019-03/txt/msg00289.txt.bz2 On Mon, Mar 11, 2019 at 6:00 PM Lee wrote: > > I must say I'm surprised so many people think it's a good idea to > > leave cygwin open to trivial MITM attacks, which is the current state > > of affairs. > > But it's only open to a trivial MITM attack if the user types in > "http://cygwin.com" - correct? Why isn't the fix "don't do that"? Because security that rests on assuming humans will always do the correct thing has proven to be unreliable (understatement). > > This is my opinion only of course, but if cygwin wants to have any > > security credibility, it should simply disallow non-SSL downloads of > > setup.exe. Otherwise the chain of authenticity is broken forever. > > They sign setup.exe, so "the chain of authenticity" is there regardless. > https://cygwin.com/setup-x86_64.exe > https://cygwin.com/setup-x86_64.exe.sig I don't see your point. Downloading the sig file over HTTP is useless... any attacker going to the trouble to launch a MITM attack for setup.exe will certainly also do it for the sig file as well. OTOH, if you download the file over HTTPS.. then your client supports SSL. Which is exactly what I'm saying should be mandatory. -AC -- Archie L. Cobbs -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple