From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 21097 invoked by alias); 12 Mar 2019 14:31:43 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 21090 invoked by uid 89); 12 Mar 2019 14:31:43 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-0.4 required=5.0 tests=AWL,BAYES_00,EXECUTABLE_URI,KAM_EXEURI,RCVD_IN_DNSWL_LOW autolearn=no version=3.3.1 spammy=burden, attack X-HELO: smtp-out-so.shaw.ca Received: from smtp-out-so.shaw.ca (HELO smtp-out-so.shaw.ca) (64.59.136.139) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Tue, 12 Mar 2019 14:31:42 +0000 Received: from [192.168.1.114] ([24.64.172.44]) by shaw.ca with ESMTP id 3iROhRI1S5X463iRPhKvaq; Tue, 12 Mar 2019 08:31:40 -0600 Reply-To: Brian.Inglis@SystematicSw.ab.ca Subject: Re: SSL not required for setup.exe download To: cygwin@cygwin.com References: <1a840c2e-55ac-0ab4-66c4-a1f6a2c4f81a@Shaw.ca> <41f12842-ea43-ff63-a660-26ee3b497c63@SystematicSw.ab.ca> <1b570593-0ec7-0890-26ef-7e7468534f47@SystematicSw.ab.ca> From: Brian Inglis Openpgp: preference=signencrypt Message-ID: Date: Tue, 12 Mar 2019 14:31:00 -0000 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.5.3 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-IsSubscribed: yes X-SW-Source: 2019-03/txt/msg00290.txt.bz2 On 2019-03-12 07:47, Archie Cobbs wrote: > On Mon, Mar 11, 2019 at 6:00 PM Lee wrote: >>> I must say I'm surprised so many people think it's a good idea to >>> leave cygwin open to trivial MITM attacks, which is the current state >>> of affairs. >> But it's only open to a trivial MITM attack if the user types in >> "http://cygwin.com" - correct? Why isn't the fix "don't do that"? > Because security that rests on assuming humans will always do the > correct thing has proven to be unreliable (understatement). >>> This is my opinion only of course, but if cygwin wants to have any >>> security credibility, it should simply disallow non-SSL downloads of >>> setup.exe. Otherwise the chain of authenticity is broken forever. >> They sign setup.exe, so "the chain of authenticity" is there regardless. >> https://cygwin.com/setup-x86_64.exe >> https://cygwin.com/setup-x86_64.exe.sig > I don't see your point. > Downloading the sig file over HTTP is useless... any attacker going to > the trouble to launch a MITM attack for setup.exe will certainly also > do it for the sig file as well. > OTOH, if you download the file over HTTPS.. then your client supports > SSL. Which is exactly what I'm saying should be mandatory. Forcing TLS means blocking anyone who for any reason can not use TLS: this is a performance and support burden compared to allowing both HTTP:80 and HTTPS:443. Same reasons most ISPs/ASes/orgs don't filter or validate packet source IP addresses per BCP 38 which would stop most abuses! -- Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada This email may be disturbing to some readers as it contains too much technical detail. Reader discretion is advised. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple