X-Recipient:	archive-cygwin AT delorie DOT com
X-SWARE-Spam-Status:	No, hits=-2.5 required=5.0 tests=AWL,BAYES_00
X-Spam-Check-By:	sourceware.org
Message-ID:	<4B9F6069.4010306@gmail.com>
Date:	Tue, 16 Mar 2010 10:41:45 +0000
From:	Dave Korn <dave DOT korn DOT cygwin AT googlemail DOT com>
User-Agent:	Thunderbird 2.0.0.17 (Windows/20080914)
MIME-Version:	1.0
To:	cygwin AT cygwin DOT com
Subject:	Re: incomplete/corrupted setup.exe
References:	<1268526388 DOT 20918 DOT ezmlm AT cygwin DOT com> <Pine DOT LNX DOT 4 DOT 58 DOT 1003141111350 DOT 14642 AT mail3 DOT jubileegroup DOT co DOT uk> <20100314163002 DOT GA12172 AT ednor DOT casa DOT cgf DOT cx> <03988E63C1BD48809EA3A27E4D6A3661 AT phoenix> <4B9D1B9C DOT 6000302 AT monai DOT ca> <20100314190223 DOT GD13515 AT ednor DOT casa DOT cgf DOT cx> <4B9EEC2D DOT 9020602 AT monai DOT ca> <1ef5a52f1003160253g55aa7bf7l79bda3768f50c969 AT mail DOT gmail DOT com>
In-Reply-To:	<1ef5a52f1003160253g55aa7bf7l79bda3768f50c969@mail.gmail.com>
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com

On 16/03/2010 09:53, Csaba Raduly wrote:
> On Tue, Mar 16, 2010 at 3:25 AM, Steven Monai wrote:
> [snip]
>> IT departments are becoming increasingly security conscious. That's
>> probably why the OP had trouble downloading setup.exe. It wasn't because
>> his IT was "brain-dead", but because there are legitimate security
>> concerns about downloading an unsigned exe over a non-SSL-authenticated
>> channel.
> 
> Unfortunately, many IT departments follow the "We must do something.
> This is something. Therefore we must do this." action plan :/
> Installing a webfilter falls into this category, IMO.

  Certainly, if the IT department's goal is to enforce secure signed
downloads, I fail to see how they can do this by pattern matching against file
names.

>> I suggest people inform themselves about the current state of art in
>> "man-in-the-middle" hijacking attacks, because the means by which
>> cygwin.com currently distributes setup.exe is vulnerable to a MITM
>> surreptitiously delivering a trojan setup.exe in place of the actual.
>> For this reason, I caution Cygwin users against downloading setup.exe
>> over unsafe networks (e.g. public wireless hotspots, hotel networks, etc.).
> 
> Or the Internet, in general :)
> 
> Perhaps the MD5 and/or SHA1 checksums for the current setup.exe should
> be published (and updated every time there's a new release) next to
> the download link (like Apache does, for example)

  Any theoretical MITM who can redirect your download of setup.exe to a
malicious version can just as easily also redirect your download of index.html
likewise to an edited version with fake checksums.

  It would be very nice to be able to serve it up over https, but it's not
just a matter of "Buy a cert for a couple of hundred bucks, edit httpd.conf
and away you go".  Sourceware.org is a busy and vital public server, so there
are plenty of issues to be considered, like doing some proper benchmarking and
making sure adding SSL doesn't significantly impact the availability and load
levels on the sever, possibly having to add more capacity, and then there's
all the accountability-and-control issues about who is responsible for the
certificate and how and where it is maintained.....

  It is however a very highly-desirable goal.  I'll try and find some round
tuits to see if we can't get some traction.

    cheers,
      DaveK


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -