| delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| X-SWARE-Spam-Status: | No, hits=-0.9 required=5.0 tests=AWL,BAYES_50 |
| X-Spam-Check-By: | sourceware.org |
| Message-ID: | <4BA248F7.8030907@etr-usa.com> |
| Date: | Thu, 18 Mar 2010 09:38:31 -0600 |
| From: | Warren Young <warren AT etr-usa DOT com> |
| User-Agent: | Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.8) Gecko/20100227 Thunderbird/3.0.3 |
| MIME-Version: | 1.0 |
| To: | Cygwin-L <cygwin AT cygwin DOT com> |
| Subject: | Re: incomplete/corrupted setup.exe |
| References: | <1268766945 DOT 5263 DOT ezmlm AT cygwin DOT com> <Pine DOT LNX DOT 4 DOT 58 DOT 1003171042591 DOT 9914 AT mail3 DOT jubileegroup DOT co DOT uk> <20100317150649 DOT GA29284 AT ednor DOT casa DOT cgf DOT cx> <4BA17A9F DOT 2000808 AT monai DOT ca> <20100318015424 DOT GA4949 AT ednor DOT casa DOT cgf DOT cx> <4BA19876 DOT 1080207 AT monai DOT ca> |
| In-Reply-To: | <4BA19876.1080207@monai.ca> |
| X-IsSubscribed: | yes |
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm |
| List-Id: | <cygwin.cygwin.com> |
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com> |
| List-Archive: | <http://sourceware.org/ml/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs> |
| Sender: | cygwin-owner AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| Delivered-To: | mailing list cygwin AT cygwin DOT com |
On 3/17/2010 9:05 PM, Steven Monai wrote: > On 2010/03/17 6:54 PM, Christopher Faylor wrote: >> Oh. Are we still talking about this? I drifted off. >> >> Somebody please wake me when all of this tempest in a bikeshed is over. > > I don't understand the reason for the dismissive attitude. Your proposed solutions don't really work. They're crutches which may help in some cases, but they don't absolutely and finally fix the problem. Therefore you're proposing that someone else do work on a "maybe". Why are you surprised when he says "no"? Re the idea that SSL will defeat brain-dead and broken proxies: only the most brain-dead among them. Corporate filtering proxies are often set up to unwrap SSL at the proxy then re-sign the outbound request; they see the plaintext request. Such things aren't common at the low end because it requires adding the proxy as a trusted CA to every SSL using program on the system, but it's common enough. Re MITM mitigation: If that's what you're trying to guard against, how does putting hashes on a non-HTTPS web page help? A MITM could modify the hashes in transit just as well as he could modify setup.exe. Re the MITM risk to begin with: is this actually happening, or are we just speculating here? I pay some attention to security issues, and haven't seen any reports of random in-flight exes over HTTP being replaced by a MITM with malware. Could it be done? Of course. But *is* it, and with what frequency? -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |