SSL not required for setup.exe download

SSL not required for setup.exe download

[Archie Cobbs]

The FAQ states:

    The Cygwin website provides the setup program (setup-x86.exe or
setup-x86_64.exe) using HTTPS (SSL/TLS).

While this is true, it's not mandatory.

If one happens to go to HTTP://www.cygwin.com instead of
HTTPS://www.cygwin.com, then neither the page you are viewing (which
contains the setup.exe download link), nor the setup.exe download link
itself are secured via SSL.

So someone who just types "cygwin.com" into the browser location bar
and clicks on the setup.exe link is vulnerable to a MTM attack.

It would be safer if http://www.cygwin.com always redirected you to
https://www.cygwin.com, where the page and the link are SSL.

Is there any reason not to force this redirect and close this security hole?

-Archie

--
Archie L. Cobbs

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: SSL not required for setup.exe download

[Andrey Repin]

Greetings, Archie Cobbs!

> The FAQ states:

>     The Cygwin website provides the setup program (setup-x86.exe or
> setup-x86_64.exe) using HTTPS (SSL/TLS).

> While this is true, it's not mandatory.

> If one happens to go to HTTP://www.cygwin.com instead of
> HTTPS://www.cygwin.com, then neither the page you are viewing (which
> contains the setup.exe download link), nor the setup.exe download link
> itself are secured via SSL.

> So someone who just types "cygwin.com" into the browser location bar
> and clicks on the setup.exe link is vulnerable to a MTM attack.

> It would be safer if http://www.cygwin.com always redirected you to
> https://www.cygwin.com, where the page and the link are SSL.

> Is there any reason not to force this redirect and close this security hole?

If you care that much, you would use https.
If not, then I see no reason to bend to hysteric crowd.


-- 
With best regards,
Andrey Repin
Sunday, March 10, 2019 16:29:01

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: SSL not required for setup.exe download

[Brian Inglis]

On 2019-03-09 21:54, Archie Cobbs wrote:
> The FAQ states:
>     The Cygwin website provides the setup program (setup-x86.exe or
> setup-x86_64.exe) using HTTPS (SSL/TLS).
> While this is true, it's not mandatory.
> If one happens to go to HTTP://www.cygwin.com instead of
> HTTPS://www.cygwin.com, then neither the page you are viewing (which
> contains the setup.exe download link), nor the setup.exe download link
> itself are secured via SSL.
> So someone who just types "cygwin.com" into the browser location bar
> and clicks on the setup.exe link is vulnerable to a MTM attack.
> It would be safer if http://www.cygwin.com always redirected you to
> https://www.cygwin.com, where the page and the link are SSL.
> Is there any reason not to force this redirect and close this security hole?

The whole sourceware.org site include cygwin.com uses HSTS which compliant
supporting clients can use to switch to communicating over HTTPS.
Clients which are not compliant or don't support HTTPS may still download the
programs and files.

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: SSL not required for setup.exe download

[Brian Inglis]

On 2019-03-09 21:54, Archie Cobbs wrote:
> The FAQ states:
>     The Cygwin website provides the setup program (setup-x86.exe or
> setup-x86_64.exe) using HTTPS (SSL/TLS).
> While this is true, it's not mandatory.
> If one happens to go to HTTP://www.cygwin.com instead of
> HTTPS://www.cygwin.com, then neither the page you are viewing (which
> contains the setup.exe download link), nor the setup.exe download link
> itself are secured via SSL.
> So someone who just types "cygwin.com" into the browser location bar
> and clicks on the setup.exe link is vulnerable to a MTM attack.
> It would be safer if http://www.cygwin.com always redirected you to
> https://www.cygwin.com, where the page and the link are SSL.
> Is there any reason not to force this redirect and close this security hole?

The whole sourceware.org site include cygwin.com uses HSTS which compliant
supporting clients can use to switch to communicating over HTTPS.
Clients which are not compliant or don't support HTTPS may still download the
programs and files.

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: SSL not required for setup.exe download

[Archie Cobbs]

Hi Andrey,

On Sun, Mar 10, 2019 at 8:35 AM Andrey Repin <anrdaemon@yandex.ru> wrote:
> > Is there any reason not to force this redirect and close this security hole?
>
> If you care that much, you would use https.
> If not, then I see no reason to bend to hysteric crowd.

You are correct: careful, diligent, knowledgeable people will know to use https.

Those are not the people I'm worried about however... I'm worried
about the other 95% of humanity :)

-Archie

-- 
Archie L. Cobbs

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: SSL not required for setup.exe download

[Archie Cobbs]

Hi Brian,

On Sun, Mar 10, 2019 at 9:16 AM Brian Inglis <Brian.Inglis@shaw.ca> wrote:
> > Is there any reason not to force this redirect and close this security hole?
>
> The whole sourceware.org site include cygwin.com uses HSTS which compliant
> supporting clients can use to switch to communicating over HTTPS.
> Clients which are not compliant or don't support HTTPS may still download the
> programs and files.

I don't see how HSTS solves the particular issue that I'm referring to.

HSTS only applies to connections that are *already* using HTTPS.
Quoting Wikipedia:

    HSTS mechanism overview

    A server implements an HSTS policy by supplying a header over an
HTTPS connection (HSTS headers over HTTP are ignored).

In any case, the problem I'm talking about is trivial to verify. Just
start up Chrome or Firefox and enter http://www.cygwin.com. You can
then confirm that (a) the page you are looking at has an http:// URL,
and (b) the link to setup.exe also has an http:// URL. Therefore,
there is no real security in this scenario.

-Archie

-- 
Archie L. Cobbs

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: SSL not required for setup.exe download

[L A Walsh]

On 3/10/2019 7:16 AM, Brian Inglis wrote:
> On 2019-03-09 21:54, Archie Cobbs wrote:
>> It would be safer if http://www.cygwin.com always redirected you to
>> https://www.cygwin.com, where the page and the link are SSL.
>> Is there any reason not to force this redirect and close this security hole?
>>     
----
    I think the point is that if you redirect and a client can't
speak https, what happens?  Wouldn't they get an error that would
prevent them from using the site?

    Google has a vested interest in getting people locked in on
https -- makes it much harder for people to use proxies and lower
their requests to google and for them to block some requests.  They get
to control what you get -- not you.

>
> The whole sourceware.org site include cygwin.com uses HSTS which compliant
> supporting clients can use to switch to communicating over HTTPS.
> Clients which are not compliant or don't support HTTPS may still download the
> programs and files.
>
>   

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: SSL not required for setup.exe download

[Brian Inglis]

On 2019-03-10 10:40, Archie Cobbs wrote:
> On Sun, Mar 10, 2019 at 9:16 AM Brian Inglis wrote:
>>> Is there any reason not to force this redirect and close this security hole?

There are apparently reasons not to force this redirect as it can also cause a
security hole.

>> The whole sourceware.org site include cygwin.com uses HSTS which compliant
>> supporting clients can use to switch to communicating over HTTPS.
>> Clients which are not compliant or don't support HTTPS may still download the
>> programs and files.
> 
> I don't see how HSTS solves the particular issue that I'm referring to.

HSTS redirects requests from port 80 to 443 (HTTPS).

> HSTS only applies to connections that are *already* using HTTPS.
> Quoting Wikipedia:
> 
>     HSTS mechanism overview
> 
>     A server implements an HSTS policy by supplying a header over an
> HTTPS connection (HSTS headers over HTTP are ignored).

The HSTS Mechanism is a small part of the HSTS implementation:

	https://tools.ietf.org/html/rfc6797

and the wiki article may not be a good description.

> In any case, the problem I'm talking about is trivial to verify. Just
> start up Chrome or Firefox and enter http://www.cygwin.com. You can
> then confirm that (a) the page you are looking at has an http:// URL,
> and (b) the link to setup.exe also has an http:// URL. Therefore,
> there is no real security in this scenario.

I only get to see https://www.cygwin.com/ YMMV

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: SSL not required for setup.exe download

[Archie Cobbs]

On Sun, Mar 10, 2019 at 6:20 PM L A Walsh <cygwin@tlinx.org> wrote:
> >> It would be safer if http://www.cygwin.com always redirected you to
> >> https://www.cygwin.com, where the page and the link are SSL.
> >> Is there any reason not to force this redirect and close this security hole?
>
>     I think the point is that if you redirect and a client can't
> speak https, what happens?  Wouldn't they get an error that would
> prevent them from using the site?

I guess so. Can you name any such client?

-AC

-- 
Archie L. Cobbs

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: SSL not required for setup.exe download

[Mark Geisert]

Brian Inglis wrote:
> On 2019-03-10 10:40, Archie Cobbs wrote:
[...]
>> In any case, the problem I'm talking about is trivial to verify. Just
>> start up Chrome or Firefox and enter http://www.cygwin.com. You can
>> then confirm that (a) the page you are looking at has an http:// URL,
>> and (b) the link to setup.exe also has an http:// URL. Therefore,
>> there is no real security in this scenario.
>
> I only get to see https://www.cygwin.com/ YMMV

FWIW, I can reproduce the OP's STC using Chrome, Firefox, and Pale Moon.  Not 
sure why it happens for some folks but not others.  But since it does exist for 
some users, should it be dealt with?

..mark


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: SSL not required for setup.exe download

[Brian Inglis]

On 2019-03-10 23:16, Mark Geisert wrote:
> On 2019-03-10, Brian Inglis wrote:
>> On 2019-03-10 10:40, Archie Cobbs wrote:
>>> In any case, the problem I'm talking about is trivial to verify. Just
>>> start up Chrome or Firefox and enter http://www.cygwin.com. You can
>>> then confirm that (a) the page you are looking at has an http:// URL,
>>> and (b) the link to setup.exe also has an http:// URL. Therefore,
>>> there is no real security in this scenario.
>>
>> I only get to see https://www.cygwin.com/ YMMV
> 
> FWIW, I can reproduce the OP's STC using Chrome, Firefox, and Pale Moon.  Not
> sure why it happens for some folks but not others.  But since it does exist for
> some users, should it be dealt with?

It is possible that some of the clients on some of the systems accessing
sourceware projects may not be capable of supporting HTTPS, TLS, or HSTS, so a
permanent 301 redirection to HTTPS:443 may not be feasible.

If the sourcemaster at sourceware.org dealt with the issues below:

	https://hstspreload.org/?domain=sourceware.org

by changing the header from:

	Strict-Transport-Security: max-age=16070400

to:

	Strict-Transport-Security: max-age=16070400; includeSubDomains; preload

it could be automatic soon in most major browsers using the Chromium/Mozilla
preload list:

	https://github.com/chromium/hstspreload.org

but some of us are currently redirected while others are not.

I have probably been using HTTPS in browsers and scripts since it was supported
by sourceware.org and cygwin.com.
It looks like once browsers or clients have seen the HTTPS:443 STS header, or if
a site is on a preload list, they redirect to HTTPS:443; if you use wget, check
for ~/.wget-hsts which should contain {,www.}{cygwin.com,sourceware.org} if you
used wget to access those sites.

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: SSL not required for setup.exe download

[Brian Inglis]

On 2019-03-10 21:53, Archie Cobbs wrote:
> On Sun, Mar 10, 2019 at 6:20 PM L A Walsh <cygwin@tlinx.org> wrote:
>>>> It would be safer if http://www.cygwin.com always redirected you to
>>>> https://www.cygwin.com, where the page and the link are SSL.
>>>> Is there any reason not to force this redirect and close this security hole?
>>
>>     I think the point is that if you redirect and a client can't
>> speak https, what happens?  Wouldn't they get an error that would
>> prevent them from using the site?
> 
> I guess so. Can you name any such client?

Dillo and likely others on:

	https://en.wikipedia.org/wiki/Comparison_of_lightweight_web_browsers

and clients for RTEMS and other embedded platforms supported by newlib, musl,
and similar libraries, that are too limited to support TLS, HTTPS, etc.

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: SSL should not be required for setup.exe download

[L A Walsh]

On 3/10/2019 10:16 PM, Mark Geisert wrote:
> FWIW, I can reproduce the OP's STC using Chrome, Firefox, and Pale Moon.  Not 
> sure why it happens for some folks but not others.  But since it does exist for 
> some users, should it be dealt with?
>   
---
    Probably: https should be disabled on the site, then no one who has
used hsts will be able to access the site.  If https goes down for
some reason, anyone running hsts won't be able to access the site unless
they figure out to how to reset their browser.

    Only people who are using https would have hsts enabled.  If someone
only uses http, or is a browser that doesn't accept it or disables
it (for a few years I used a browser setting to disable it) because
I like knowing when google is being notified.  Unfortunately, now,
they are getting my email cuz I had to find a new provider on relative
short notice.  I didn't realize that they delete your incoming list
email if they thing you got it directly --  which messes up reading
messages in context on a list.

    They also delete incoming list email that you *sent* from
a google account because, they will tell you, that you can go find
the message in your 'Sent' email (unless you deleted it, in which
case its your own fault).  As it is, I'm finding emails going
missing because they though it came through to me, but for whatever
reason may have been filed in another, unrelated email box that
was also Cc'd.

    Google is irresponsible and has a history of creating changes then
backing them out or getting people on products/forums then killing
those products/tools.  If you ever noticed...nearly everything from
them is in "Beta".  A few years ago, google added 'fonts for the web' --
another enticement for web-owners to tell your browser to contact google.
Of course if the text is encrypted because of HSTS, you won't see it
before it has connected. 

Normally I haven't been worried about most of goog's changes but
when they started deleting email that they think I should have another
copy of -- that was unacceptable.  They misrepresented their email
service (that I'm paying for) as able to pass through unfiltered
email.  Such is not the case.  Not only that, but they add about 5-6K
to every message that comes through.  I used to have mail <1K: not
anymore.

As cygwin stands now, only those who choose https, will get it.  Yet
still people are complaining because everyone isn't forced to do the
same.  That is the attitude google and other social echo-chambers
are breeding and cultivating.

I find it anything but innocuous.



--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: SSL not required for setup.exe download

[L A Walsh]

On 3/10/2019 8:53 PM, Archie Cobbs wrote:
> On Sun, Mar 10, 2019 at 6:20 PM L A Walsh <cygwin@tlinx.org> wrote:
>   
>>>> It would be safer if http://www.cygwin.com always redirected you to
>>>> https://www.cygwin.com, where the page and the link are SSL.
>>>> Is there any reason not to force this redirect and close this security hole?
>>>>         
>>     I think the point is that if you redirect and a client can't
>> speak https, what happens?  Wouldn't they get an error that would
>> prevent them from using the site?
>>     
>
> I guess so. Can you name any such client?
>   
---
    Depends on the site, but for several months my browser would get
an error if I tried to goto my distro's website.  They implemented
hsts, but were using an insecure encryption that my browser had
enabled.  So now I try to only use their unencrypted channels for
distro-download, among other things.
 
As for others, and companies, such information is proprietary. 
Why would people advertise they are
using a browser that doesn't speak the latest fad?  If you are
asking for a mainstream browser, forget it, you'd have to
write your own software or make changes in one.  But any browser that
is open source could be configured to disable https on non-sensitive
sites, though eventually, intercepting only encrypted material and
ensuring that the browsers honor well-known CA's, that have
had keys requested under government security letters that forbid
any spread of such interception will get them most of what they
want.

    It's all in the name of protecting the citizens, of course...and
the children: think of the children (yeah, a bit of hyperbole here,
but that doesn't mean it can't be true).





--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: SSL not required for setup.exe download

[L A Walsh]

On 3/11/2019 6:22 AM, L A Walsh wrote:
> On 3/10/2019 8:53 PM, Archie Cobbs wrote:
>   
>> I guess so. Can you name any such client?
>>     
---
    Depends on the site, but for several months my browser would get
an error if I tried to goto my distro's website.  They implemented
hsts, but were using an insecure encryption that my browser had
-e̸n̸a̸b̸l̸e̸d̸ _𝑫𝒊𝒔𝒂𝒃𝒍𝒆𝒅_ (oops).


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: SSL not required for setup.exe download

[Archie Cobbs]

On Sun, Mar 10, 2019 at 10:51 PM Brian Inglis
<Brian.Inglis@systematicsw.ab.ca> wrote:
> >>> Is there any reason not to force this redirect and close this security hole?
>
> There are apparently reasons not to force this redirect as it can also cause a
> security hole.

That's really interesting. Can you provide more detail?

> >> The whole sourceware.org site include cygwin.com uses HSTS which compliant
> >> supporting clients can use to switch to communicating over HTTPS.
> >> Clients which are not compliant or don't support HTTPS may still download the
> >> programs and files.
> >
> > I don't see how HSTS solves the particular issue that I'm referring to.
>
> HSTS redirects requests from port 80 to 443 (HTTPS).

Not for me. Well, actually I'm getting inconsistent results...

On Mac OS X, neither Firefox, Chrome nor Safari will redirect to SSL.

On an old Windows 7 system, neither IE 8 (no surprise there) or Chrome
redirects.

However, with Chrome, it does not redirect at first, but once I've
manually entered https://www.cygwin.com it seems to "realize" that a
secure site exists, and after that it starts redirecting to SSL.

I can revert that behavior by clearing the cache.

So it seems in the case of Chrome, it has to be "taught" about the
existence of the secure site... which of course takes us right back to
the original problem.

-AC

-- 
Archie L. Cobbs

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: SSL not required for setup.exe download

[Brian Inglis]

On 2019-03-11 07:43, Archie Cobbs wrote:
> On Sun, Mar 10, 2019 at 10:51 PM Brian Inglis wrote:
>>>>> Is there any reason not to force this redirect and close this security hole?
>> There are apparently reasons not to force this redirect as it can also cause a
>> security hole.
> That's really interesting. Can you provide more detail?

Search for HTTP HTTPS redirection SSL stripping MitM attack

>>>> The whole sourceware.org site include cygwin.com uses HSTS which compliant
>>>> supporting clients can use to switch to communicating over HTTPS.
>>>> Clients which are not compliant or don't support HTTPS may still download the
>>>> programs and files.
>>> I don't see how HSTS solves the particular issue that I'm referring to.
>> HSTS redirects requests from port 80 to 443 (HTTPS).
> Not for me. Well, actually I'm getting inconsistent results...
> On Mac OS X, neither Firefox, Chrome nor Safari will redirect to SSL.
> On an old Windows 7 system, neither IE 8 (no surprise there) or Chrome
> redirects.
> However, with Chrome, it does not redirect at first, but once I've
> manually entered https://www.cygwin.com it seems to "realize" that a
> secure site exists, and after that it starts redirecting to SSL.
> I can revert that behavior by clearing the cache.
> So it seems in the case of Chrome, it has to be "taught" about the
> existence of the secure site... which of course takes us right back to
> the original problem.

Some sites, proxies, and CDNs respond with

	HTTP/1.0 302 Found

and redirects to HTTPS:443 followed by the HTTP header.

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: SSL should not be required for open source downloading

[L A Walsh]

On 3/11/2019 6:43 AM, Archie Cobbs wrote:
> On Sun, Mar 10, 2019 at 10:51 PM Brian Inglis
> <Brian.Inglis@systematicsw.ab.ca> wrote:
>   
>>>>> Is there any reason not to force this redirect and close this security hole?
>>>>>           
>> There are apparently reasons not to force this redirect as it can also cause a
>> security hole.
>>     
>
> That's really interesting. Can you provide more detail?
>   
I know that was directed at Brian, but...
Because if the assumption is that the site uses https or will redirect it,
then to start the session the client would send startTLS parameters.

If it so happens that part of the site, does not use https, then
an attacker could grab those initial parameters.  Somehow providing
"opensource" binaries doesn't seem like the type of thing that needs
or should even have encryption.
>   
>>>> The whole sourceware.org site include cygwin.com uses HSTS which compliant supporting clients can use to switch to communicating over HTTPS. Clients which are not compliant or don't support HTTPS may still download the programs and files.
>>>>         
>>> I don't see how HSTS solves the particular issue that I'm referring to.
>>>       
>> HSTS redirects requests from port 80 to 443 (HTTPS).
>>     
>
> Not for me. Well, actually I'm getting inconsistent results...
> On Mac OS X, neither Firefox, Chrome nor Safari will redirect to SSL.
>   
FWIW, apple customizes their library behaviors and doesn't always follow the
standards.
> On an old Windows 7 system, neither IE 8 (no surprise there) or Chrome
> redirects.
>   
---
    HSTS is only set from HTTPS.  If you only access the site in cleartext,
that is what you will get.  If you don't understand HSTS, perhaps reading
and understanding the document would be good before promoting it -- just
sayin'.


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: SSL not required for setup.exe download

[Archie Cobbs]

On Mon, Mar 11, 2019 at 2:43 PM Brian Inglis
<Brian.Inglis@systematicsw.ab.ca> wrote:
> On 2019-03-11 07:43, Archie Cobbs wrote:
> > On Sun, Mar 10, 2019 at 10:51 PM Brian Inglis wrote:
> >>>>> Is there any reason not to force this redirect and close this security hole?
> >> There are apparently reasons not to force this redirect as it can also cause a
> >> security hole.
> > That's really interesting. Can you provide more detail?
>
> Search for HTTP HTTPS redirection SSL stripping MitM attack

I did, but I only get results relating to the "stripping" attack,
which downgrades from HTTPS to HTTP.

Obviously that would cause a reduction in security... But what I'm
suggesting is the opposite: redirecting from HTTP to HTTPS.

How could that reduce security?

(sigh)

I must say I'm surprised so many people think it's a good idea to
leave cygwin open to trivial MITM attacks, which is the current state
of affairs.

This is my opinion only of course, but if cygwin wants to have any
security credibility, it should simply disallow non-SSL downloads of
setup.exe. Otherwise the chain of authenticity is broken forever.

-AC

-- 
Archie L. Cobbs

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: SSL not required for setup.exe download

[Lee]

On 3/11/19, Archie Cobbs wrote:
> On Mon, Mar 11, 2019 at 2:43 PM Brian Inglis wrote:
>> On 2019-03-11 07:43, Archie Cobbs wrote:
>> > On Sun, Mar 10, 2019 at 10:51 PM Brian Inglis wrote:
>> >>>>> Is there any reason not to force this redirect and close this
>> >>>>> security hole?
>> >> There are apparently reasons not to force this redirect as it can also
>> >> cause a
>> >> security hole.
>> > That's really interesting. Can you provide more detail?
>>
>> Search for HTTP HTTPS redirection SSL stripping MitM attack
>
> I did, but I only get results relating to the "stripping" attack,
> which downgrades from HTTPS to HTTP.
>
> Obviously that would cause a reduction in security... But what I'm
> suggesting is the opposite: redirecting from HTTP to HTTPS.
>
> How could that reduce security?

part of "security" is "availability".  If whatever doing the download
isn't able to do TLS then redirecting to https://cygwin.com makes
cygwin.com unavailable.

> (sigh)
>
> I must say I'm surprised so many people think it's a good idea to
> leave cygwin open to trivial MITM attacks, which is the current state
> of affairs.

But it's only open to a trivial MITM attack if the user types in
"http://cygwin.com" - correct?  Why isn't the fix "don't do that"?

> This is my opinion only of course, but if cygwin wants to have any
> security credibility, it should simply disallow non-SSL downloads of
> setup.exe. Otherwise the chain of authenticity is broken forever.

They sign setup.exe, so "the chain of authenticity" is there regardless.
  https://cygwin.com/setup-x86_64.exe
  https://cygwin.com/setup-x86_64.exe.sig

Regards,
Lee

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: SSL not required for setup.exe download

[Andrey Repin]

Greetings, Archie Cobbs!

> On Mon, Mar 11, 2019 at 2:43 PM Brian Inglis

>> On 2019-03-11 07:43, Archie Cobbs wrote:
>> > On Sun, Mar 10, 2019 at 10:51 PM Brian Inglis wrote:
>> >>>>> Is there any reason not to force this redirect and close this security hole?
>> >> There are apparently reasons not to force this redirect as it can also cause a
>> >> security hole.
>> > That's really interesting. Can you provide more detail?
>>
>> Search for HTTP HTTPS redirection SSL stripping MitM attack

> I did, but I only get results relating to the "stripping" attack,
> which downgrades from HTTPS to HTTP.

> Obviously that would cause a reduction in security... But what I'm
> suggesting is the opposite: redirecting from HTTP to HTTPS.

> How could that reduce security?

> (sigh)

> I must say I'm surprised so many people think it's a good idea to
> leave cygwin open to trivial MITM attacks, which is the current state
> of affairs.

> This is my opinion only of course, but if cygwin wants to have any
> security credibility, it should simply disallow non-SSL downloads of
> setup.exe. Otherwise the chain of authenticity is broken forever.

All the SSL stuff is build on idea of implicit unlimited trust.
Which is way worse in my opinion, than any theoretical MITM attack, which is
easily mitigated with proper validation of your downloads.
It gives you false sense of security. What is worse, everybody is attempting
to reassure this false sense on every possible occasion.

P.S.
Unrelated to the ongoing discussion, please teach your mail client to not
quote raw email addresses.
The mailing list is publicly archived.
There's no pressing need to feed every spambot in existence with a new batch
of fresh targets.


-- 
With best regards,
Andrey Repin
Tuesday, March 12, 2019 3:11:28

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: SSL not required for setup.exe download

[Archie Cobbs]

On Mon, Mar 11, 2019 at 6:00 PM Lee wrote:
> > I must say I'm surprised so many people think it's a good idea to
> > leave cygwin open to trivial MITM attacks, which is the current state
> > of affairs.
>
> But it's only open to a trivial MITM attack if the user types in
> "http://cygwin.com" - correct?  Why isn't the fix "don't do that"?

Because security that rests on assuming humans will always do the
correct thing has proven to be unreliable (understatement).

> > This is my opinion only of course, but if cygwin wants to have any
> > security credibility, it should simply disallow non-SSL downloads of
> > setup.exe. Otherwise the chain of authenticity is broken forever.
>
> They sign setup.exe, so "the chain of authenticity" is there regardless.
>   https://cygwin.com/setup-x86_64.exe
>   https://cygwin.com/setup-x86_64.exe.sig

I don't see your point.

Downloading the sig file over HTTP is useless... any attacker going to
the trouble to launch a MITM attack for setup.exe will certainly also
do it for the sig file as well.

OTOH, if you download the file over HTTPS..  then your client supports
SSL. Which is exactly what I'm saying should be mandatory.

-AC

-- 
Archie L. Cobbs

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: SSL not required for setup.exe download

[Brian Inglis]

On 2019-03-12 07:47, Archie Cobbs wrote:
> On Mon, Mar 11, 2019 at 6:00 PM Lee wrote:
>>> I must say I'm surprised so many people think it's a good idea to
>>> leave cygwin open to trivial MITM attacks, which is the current state
>>> of affairs.
>> But it's only open to a trivial MITM attack if the user types in
>> "http://cygwin.com" - correct?  Why isn't the fix "don't do that"?
> Because security that rests on assuming humans will always do the
> correct thing has proven to be unreliable (understatement).
>>> This is my opinion only of course, but if cygwin wants to have any
>>> security credibility, it should simply disallow non-SSL downloads of
>>> setup.exe. Otherwise the chain of authenticity is broken forever.
>> They sign setup.exe, so "the chain of authenticity" is there regardless.
>>   https://cygwin.com/setup-x86_64.exe
>>   https://cygwin.com/setup-x86_64.exe.sig
> I don't see your point.
> Downloading the sig file over HTTP is useless... any attacker going to
> the trouble to launch a MITM attack for setup.exe will certainly also
> do it for the sig file as well.
> OTOH, if you download the file over HTTPS..  then your client supports
> SSL. Which is exactly what I'm saying should be mandatory.

Forcing TLS means blocking anyone who for any reason can not use TLS: this is a
performance and support burden compared to allowing both HTTP:80 and HTTPS:443.
Same reasons most ISPs/ASes/orgs don't filter or validate packet source IP
addresses per BCP 38 which would stop most abuses!

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: SSL not required for setup.exe download

[Archie Cobbs]

On Tue, Mar 12, 2019 at 9:32 AM Brian Inglis wrote:
> > OTOH, if you download the file over HTTPS..  then your client supports
> > SSL. Which is exactly what I'm saying should be mandatory.
>
> Forcing TLS means blocking anyone who for any reason can not use TLS: this is a
> performance and support burden compared to allowing both HTTP:80 and HTTPS:443.

OK. Personally I have trouble believing any such person exists. That
is, a person who has access to an HTTP client, but not an HTTPS
client, for the one-time operation of downloading setup.exe. What are
they using, a TRS-80?

Anyway no worries, I'm giving up on this issue. Too much inertia around here.

-AC

-- 
Archie L. Cobbs

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: SSL not required for setup.exe download

[Achim Gratz]

Archie Cobbs writes:
> Downloading the sig file over HTTP is useless... any attacker going to
> the trouble to launch a MITM attack for setup.exe will certainly also
> do it for the sig file as well.

No, the signature would be rejected if you cared to actually check the
key and signature (truly checking the key mandates a separate
information channel that hopefully is not under the control of the
attacker).  Now, if you are postulating an attacker that can sign with
the correct key, then there wouldn't be no need for a cleartext MitM
attack in the first place.

> OTOH, if you download the file over HTTPS..  then your client supports
> SSL. Which is exactly what I'm saying should be mandatory.

Well, everyone so far agreed with you that TLS is preferrable (although
it isn't nearly as foolproof as you seem to believe).  But you don't
seem to grasp that not everyone can use it every time and that the
fallback is actually better than the DoS that would result for folks
that are cut off from doing (proper) HTTPS.


Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

Wavetables for the Terratec KOMPLEXER:
http://Synth.Stromeko.net/Downloads.html#KomplexerWaves

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: SSL not required for setup.exe download

[Lee]

On 3/11/19, Andrey Repin  wrote:
> Greetings, Archie Cobbs!
>
>> I must say I'm surprised so many people think it's a good idea to
>> leave cygwin open to trivial MITM attacks, which is the current state
>> of affairs.
>
>> This is my opinion only of course, but if cygwin wants to have any
>> security credibility, it should simply disallow non-SSL downloads of
>> setup.exe. Otherwise the chain of authenticity is broken forever.
>
> All the SSL stuff is build on idea of implicit unlimited trust.

I agree, the whole certificate authority bit seems to .. over-promise.
On the other hand, it does also seems to "raise the bar" making it
much more difficult to snoop or alter data in transit.

> Which is way worse in my opinion, than any theoretical MITM attack, which
> is easily mitigated with proper validation of your downloads.

Serious question - exactly how does one do "proper validation of your
downloads"?

For example, I don't have the current version of 7-zip
  https://www.7-zip.org/
has a download link, but I don't see anything for a .sig, checksum or anything.
  https://sourceforge.net/projects/sevenzip/files/7-Zip/19.00/
isn't any better.
It seems to me that the best I can do is make sure I do the download
via an https:// link

> It gives you false sense of security. What is worse, everybody is
> attempting
> to reassure this false sense on every possible occasion.

I don't think it's a false sense of security.  https:// isn't "safe"
but it is _safer_ than http://

Regards,
Lee

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: SSL not required for setup.exe download

[Lee]

On 3/12/19, Archie Cobbs  wrote:
> On Mon, Mar 11, 2019 at 6:00 PM Lee wrote:
>> > I must say I'm surprised so many people think it's a good idea to
>> > leave cygwin open to trivial MITM attacks, which is the current state
>> > of affairs.
>>
>> But it's only open to a trivial MITM attack if the user types in
>> "http://cygwin.com" - correct?  Why isn't the fix "don't do that"?
>
> Because security that rests on assuming humans will always do the
> correct thing has proven to be unreliable (understatement).
>
>> > This is my opinion only of course, but if cygwin wants to have any
>> > security credibility, it should simply disallow non-SSL downloads of
>> > setup.exe. Otherwise the chain of authenticity is broken forever.
>>
>> They sign setup.exe, so "the chain of authenticity" is there regardless.
>>   https://cygwin.com/setup-x86_64.exe
>>   https://cygwin.com/setup-x86_64.exe.sig
>
> I don't see your point.
>
> Downloading the sig file over HTTP is useless... any attacker going to
> the trouble to launch a MITM attack for setup.exe will certainly also
> do it for the sig file as well.

Have you ever used gpg?  It tells you who signed the file:
$ gpg --verify cygwinSetup-x86_64.exe.sig cygwinSetup-x86_64.exe
gpg: Signature made Sun, Oct 21, 2018 12:02:34 PM EDT
gpg:                using DSA key 0xA9A262FF676041BA
gpg: Good signature from "Cygwin <cygwin@cygwin.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5  9232 A9A2 62FF 6760 41BA

So even if someone was able to hijack cygwin.com, the files I
downloaded won't verify.

and yes.. gpg key usage tends to devolve to 'trust on first use' but
even so, it still seems better than most alternatives.

Regards,
Lee

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: SSL not required for setup.exe download

[Andrey Repin]

Greetings, Lee!

>> Which is way worse in my opinion, than any theoretical MITM attack, which
>> is easily mitigated with proper validation of your downloads.

> Serious question - exactly how does one do "proper validation of your
> downloads"?

Use PGP signature to validate the installer. Use separate channel to obtain
trust records for PGP key used in signing.

And not blindly trust "supposedly-secure" connections.


-- 
With best regards,
Andrey Repin
Tuesday, March 12, 2019 23:31:45

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: SSL not required for setup.exe download

[Achim Gratz]

Lee writes:
> I don't think it's a false sense of security.  https:// isn't "safe"
> but it is _safer_ than http://

Unless you are in an environment where an extra root cert is injected
just to be able to break up the encrypted connection.  Which is a lot
more common than people think and is not quite as easy to check for as
some folks make it out.


Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

Factory and User Sound Singles for Waldorf Q+, Q and microQ:
http://Synth.Stromeko.net/Downloads.html#WaldorfSounds

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: SSL not required for setup.exe download

[Lee]

On 3/12/19, Andrey Repin <anrdaemon@yandex.ru> wrote:
> Greetings, Lee!
>
>>> Which is way worse in my opinion, than any theoretical MITM attack,
>>> which
>>> is easily mitigated with proper validation of your downloads.
>
>> Serious question - exactly how does one do "proper validation of your
>> downloads"?
>
> Use PGP signature to validate the installer. Use separate channel to obtain
> trust records for PGP key used in signing.

Yes, in the ideal world.  But at least in my experience, most windows
software doesn't come with a pgp signature & using a separate channel
to get the pgp key isn't so easy.

Just out of curiosity.. has the cygwin public key been posted in
multiple places or sent to the mailing list?  Getting the exe, sig &
key from https://cygwin.com/install.html seems not the best security.

> And not blindly trust "supposedly-secure" connections.

I don't.  But I trust TLS connections a lot more than I trust
clear-text connections.

Regards,
Lee

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: SSL not required for setup.exe download

[Lee]

On 3/12/19, Achim Gratz wrote:
> Lee writes:
>> I don't think it's a false sense of security.  https:// isn't "safe"
>> but it is _safer_ than http://
>
> Unless you are in an environment where an extra root cert is injected
> just to be able to break up the encrypted connection.  Which is a lot
> more common than people think and is not quite as easy to check for as
> some folks make it out.

Right - checking the web-site cert on every site gets old fast.  Which
is why I liked the firefox cert patrol addon reminding me $WORK had
their "data loss protection" screening in action.

But even with the security office being able to snoop or modify every
one of my https:// connections, it's just the security office people,
so it still seems safer using tls than clear-text connections.

Regards,
Lee

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: SSL not required for setup.exe download

[Andrey Repin]

Greetings, Lee!

>> It gives you false sense of security. What is worse, everybody is
>> attempting
>> to reassure this false sense on every possible occasion.

> I don't think it's a false sense of security.  https:// isn't "safe"
> but it is _safer_ than http://

Yep. Now, let's recall mcafee, norton, kaspersky, avast… and all those other
"antiviruses" that proxy all TLS traffic through their own root certificate
proxy.


-- 
With best regards,
Andrey Repin
Wednesday, March 13, 2019 0:23:19

Sorry for my terrible english...
--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: SSL not required for setup.exe download

[Andrey Repin]

Greetings, Lee!

>> Greetings, Lee!
>>
>>>> Which is way worse in my opinion, than any theoretical MITM attack,
>>>> which
>>>> is easily mitigated with proper validation of your downloads.
>>
>>> Serious question - exactly how does one do "proper validation of your
>>> downloads"?
>>
>> Use PGP signature to validate the installer. Use separate channel to obtain
>> trust records for PGP key used in signing.

> Yes, in the ideal world.  But at least in my experience, most windows
> software doesn't come with a pgp signature & using a separate channel
> to get the pgp key isn't so easy.

In my experience, this is a Cygwin mailing list and we're discussing issues
of obtaining and verifying the authenticity of setup.exe.

P.S.
In regard to Cygwin mailing list, please teach your mail agent to not quote
raw email addresses.


-- 
With best regards,
Andrey Repin
Wednesday, March 13, 2019 0:32:21

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: SSL not required for setup.exe download

[Lee]

On 3/12/19, Andrey Repin wrote:
> Greetings, Lee!
>
>>> It gives you false sense of security. What is worse, everybody is
>>> attempting
>>> to reassure this false sense on every possible occasion.
>
>> I don't think it's a false sense of security.  https:// isn't "safe"
>> but it is _safer_ than http://
>
> Yep. Now, let's recall mcafee, norton, kaspersky, avast… and all those
> other
> "antiviruses" that proxy all TLS traffic through their own root certificate
> proxy.

But you did that to yourself.  Hopefully you evaluated the risk/reward
in letting your a/v intercept everything.  Or are at least aware that
your a/v is intercepting everything.

Altho I have a feeling most home users aren't aware of
  https://www.us-cert.gov/ncas/alerts/TA17-075A
I haven't been paying attention - hopefully the situation has improved.

Regards,
Lee

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: SSL not required for setup.exe download

[Lee]

On 3/12/19, Andrey Repin wrote:
> Greetings, Lee!
>
>>>>> Which is way worse in my opinion, than any theoretical MITM attack,
>>>>> which
>>>>> is easily mitigated with proper validation of your downloads.
>>>
>>>> Serious question - exactly how does one do "proper validation of your
>>>> downloads"?
>>>
>>> Use PGP signature to validate the installer. Use separate channel to
>>> obtain
>>> trust records for PGP key used in signing.
>
>> Yes, in the ideal world.  But at least in my experience, most windows
>> software doesn't come with a pgp signature & using a separate channel
>> to get the pgp key isn't so easy.
>
> In my experience, this is a Cygwin mailing list and we're discussing issues
> of obtaining and verifying the authenticity of setup.exe.

But you made proper validation sound so easy and so general :)

But ok, we'll limit it to just the cygwin setup.exe.  What separate
channel is available for finding the cygwin signing key?  My
recollection is that I gave up looking & used the link on the install
page to get the public key.

> P.S.
> In regard to Cygwin mailing list, please teach your mail agent to not quote
> raw email addresses.

Sorry about that

Regards,
Lee

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: SSL not required for setup.exe download

[Andrey Repin]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=utf-8, Size: 1115 bytes --]

Greetings, Lee!

> On 3/12/19, Andrey Repin wrote:
>> Greetings, Lee!
>>
>>>> It gives you false sense of security. What is worse, everybody is
>>>> attempting
>>>> to reassure this false sense on every possible occasion.
>>
>>> I don't think it's a false sense of security.  https:// isn't "safe"
>>> but it is _safer_ than http://
>>
>> Yep. Now, let's recall mcafee, norton, kaspersky, avast… and all those
>> other
>> "antiviruses" that proxy all TLS traffic through their own root certificate
>> proxy.

> But you did that to yourself.

I did not. But other people are running that setup unsuspected.

> Hopefully you evaluated the risk/reward in letting your a/v intercept everything.

Yes. That's why am I not running anything of that kind.


-- 
With best regards,
Andrey Repin
Wednesday, March 13, 2019 23:30:34

Sorry for my terrible english...\x03B‹KCB”\x1c›Ø›\x19[H\x1c™\^[ܝ\x1cΈ\b\b\b\b\b\b\x1a\x1d\x1d\x1c\x0e‹ËØÞYÝÚ[‹˜ÛÛKÜ\x1c›Ø›\x19[\Ëš\x1d^[[\x03B‘TNˆ\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\x1a\x1d\x1d\x1c\x0e‹ËØÞYÝÚ[‹˜ÛÛKÙ˜\KÃB‘^[ØÝ[Y[\x18]\x1a[ÛŽˆ\b\b\b\b\b\b\b\b\x1a\x1d\x1d\x1c\x0e‹ËØÞYÝÚ[‹˜ÛÛKÙ^[ØÜËš\x1d^[[\x03B•[œÝXœØÜšX™H\x1a[™›Îˆ\b\b\b\b\b\x1a\x1d\x1d\x1c\x0e‹ËØÞYÝÚ[‹˜ÛÛKÛ[\vÈÝ[œÝXœØÜšX™K\Ú[\^[\x19CBƒB

Re: SSL not required for setup.exe download

[Brian Inglis]

On 2019-03-12 08:58, Archie Cobbs wrote:
> On Tue, Mar 12, 2019 at 9:32 AM Brian Inglis wrote:
>>> OTOH, if you download the file over HTTPS..  then your client supports
>>> SSL. Which is exactly what I'm saying should be mandatory.
>> Forcing TLS means blocking anyone who for any reason can not use TLS: this is a
>> performance and support burden compared to allowing both HTTP:80 and HTTPS:443.
> OK. Personally I have trouble believing any such person exists. That
> is, a person who has access to an HTTP client, but not an HTTPS
> client, for the one-time operation of downloading setup.exe. What are
> they using, a TRS-80?

I never said it was a person nor that they did not have access to a TLS client.
I said they could not use a TLS client, which could be because of platform
deficiencies, corporate policies, proxies, firewalls, security products.
Systems or images older than a year may need the new root CA installed - some
enterprises are very selective about including support for anything in their
images - and users may not have root CA store access.
I have systems which can support only original SSL not TLS - good luck using
HTTPS to or from them, without using equally old software or libraries!

> Anyway no worries, I'm giving up on this issue. Too much inertia around here.

Perhaps just a desire not to break users access based om a wider understanding
and experience of the variety across the complete ecosystem in which the
projects are used, not just folks using modern desktop GUIs with no system or
network access policies or restrictions.

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: SSL not required for setup.exe download

[Erik Soderquist]

On Fri, Mar 15, 2019 at 8:25 AM Brian Inglis wrote:
> ... corporate policies, proxies, firewalls, security products.
> Systems or images older than a year may need the new root CA installed - some
> enterprises are very selective about including support for anything in their
> images - and users may not have root CA store access.

I am one of these; a few sites I maintain are behind corporate
firewalls that explicitly block access to sites that can't scan the
communications on to prevent leaking of sensitive internal data.  For
these sites I have no choice but to use the http connections to be
able to update, and I also download signatures and verify against
public keys that the file is indeed the correct file rather than
something injected by an MitM attack before executing.  (Yes, this has
saved my bacon a couple times).

If http is disabled, these sites likely will never be updated again.

-- Erik

--
"I do not think any of us are truly sane, Caleb. Not even you. Courage
is not sanity. Being willing to die for someone else is not sanity."
... "Love is not sane, nor is faith." ... "If sanity lacks those
things, Caleb, I want no part of it."

-- Alexandria Terri in "Weaving the Wyvern" by Alexis Desiree Thorne

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple