Mail Archives: cygwin/2015/02/26/17:31:57

delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2015/02/26/17:31:57

X-Recipient: archive-cygwin AT delorie DOT com

DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:content-type:content-transfer-encoding

:mime-version:from:reply-to:to:subject:date:message-id; q=dns;

s=default; b=ViYiS03iBbKHwYhe509Ess4gY4OjcXhbB/oX13PpfEc3euzL5m

oWYSYGk2Fofut7krZRZswb0mIPGlQBhnsghPKv+cNk4YMJRSmnaQ3BViwesw/Qdf

xFa/mxkKHEJ6iItAJjjgkilr9LadLp/SQwDZPVQEBZ1xm5t41SngH8NLw=

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:content-type:content-transfer-encoding

:mime-version:from:reply-to:to:subject:date:message-id; s=

default; bh=3D/7j8OnymJOdN4GcNWPjln7pHk=; b=Im80yBERjE6Sx5FaI1H+

GXAemeR/mtO9J0cwmRmhYfpV2hz7pbwiqJa9YC5sc9nnvNjaXTxNK61IUFhwrsW1

q+ywkvdzskpC4mmU/FQJcfzSHaoO/jcuwPO9WKb8PQdn9c8w9pF0vcFqUnDaBmbi

INtD5xUtYLMV096ZOWmIEXg=

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm

List-Id: <cygwin.cygwin.com>

List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>

List-Archive: <http://sourceware.org/ml/cygwin/>

List-Post: <mailto:cygwin AT cygwin DOT com>

List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>

Sender: cygwin-owner AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

Delivered-To: mailing list cygwin AT cygwin DOT com

Authentication-Results: sourceware.org; auth=none

X-Virus-Found: No

X-Spam-SWARE-Status: No, score=-0.4 required=5.0 tests=AWL,BAYES_50,SPF_PASS,UNPARSEABLE_RELAY autolearn=ham version=3.3.2

X-HELO: aibo.runbox.com

MIME-Version: 1.0

From: "David A. Wheeler" <dwheeler AT dwheeler DOT com>

Reply-To: dwheeler AT dwheeler DOT com

To: "cygwin" <cygwin AT cygwin DOT com>

Subject: Cygwin website uses http: (not https:) for .exe downloads, allowing man-in-the-middle attack

Date: Thu, 26 Feb 2015 17:31:38 -0500 (EST)

Message-Id: <E1YR6y2-0008G9-Gr@rmm6prod02.runbox.com>

X-IsSubscribed: yes

X-MIME-Autoconverted: from quoted-printable to 8bit by delorie.com id t1QMVssm011120

The Cygwin front web page ( https://www.cygwin.com/ ) says:
"Install it by running setup-x86.exe (32-bit installation) or setup-x86_64.exe (64-bit installation)."

However, both of the links to those .exe executables explicitly use "http://", and not "https://", even when you go to the https version of the Cygwin website.  This use of http: enables a man-in-the-middle attack on anyone trying to download the Cygwin installer.  In particular, a man-in-the-middle could maliciously modify the .exe, and there are many programs that can automatically insert malicious code into a Windows .exe file.

Please fix those links to use "https:", and not "http:".

You might also want to enable "HTTP Strict Transport Security" (HSTS) on the Cygwin website.

--- David A. Wheeler

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

X-Recipient:	archive-cygwin AT delorie DOT com
DomainKey-Signature:	a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:content-type:content-transfer-encoding
	:mime-version:from:reply-to:to:subject:date:message-id; q=dns;
	s=default; b=ViYiS03iBbKHwYhe509Ess4gY4OjcXhbB/oX13PpfEc3euzL5m
	oWYSYGk2Fofut7krZRZswb0mIPGlQBhnsghPKv+cNk4YMJRSmnaQ3BViwesw/Qdf
	xFa/mxkKHEJ6iItAJjjgkilr9LadLp/SQwDZPVQEBZ1xm5t41SngH8NLw=
DKIM-Signature:	v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:content-type:content-transfer-encoding
	:mime-version:from:reply-to:to:subject:date:message-id; s=
	default; bh=3D/7j8OnymJOdN4GcNWPjln7pHk=; b=Im80yBERjE6Sx5FaI1H+
	GXAemeR/mtO9J0cwmRmhYfpV2hz7pbwiqJa9YC5sc9nnvNjaXTxNK61IUFhwrsW1
	q+ywkvdzskpC4mmU/FQJcfzSHaoO/jcuwPO9WKb8PQdn9c8w9pF0vcFqUnDaBmbi
	INtD5xUtYLMV096ZOWmIEXg=
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
Authentication-Results:	sourceware.org; auth=none
X-Virus-Found:	No
X-Spam-SWARE-Status:	No, score=-0.4 required=5.0 tests=AWL,BAYES_50,SPF_PASS,UNPARSEABLE_RELAY autolearn=ham version=3.3.2
X-HELO:	aibo.runbox.com
MIME-Version:	1.0
From:	"David A. Wheeler" <dwheeler AT dwheeler DOT com>
Reply-To:	dwheeler AT dwheeler DOT com
To:	"cygwin" <cygwin AT cygwin DOT com>
Subject:	Cygwin website uses http: (not https:) for .exe downloads, allowing man-in-the-middle attack
Date:	Thu, 26 Feb 2015 17:31:38 -0500 (EST)
Message-Id:	<E1YR6y2-0008G9-Gr@rmm6prod02.runbox.com>
X-IsSubscribed:	yes
X-MIME-Autoconverted:	from quoted-printable to 8bit by delorie.com id t1QMVssm011120