Mail Archives: cygwin/2015/02/26/19:40:18

delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2015/02/26/19:40:18

X-Recipient: archive-cygwin AT delorie DOT com

DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:content-type:mime-version:subject:from

:in-reply-to:date:content-transfer-encoding:message-id

:references:to; q=dns; s=default; b=wInJicGJtALwiJ9UuzEAyE8Wu49C

bFg9LfaH85L8sJKGtehxjOLjlyDEd/ICaH22xoOHV4nO2BTMtS+qUvIelBWysdI4

6n6HgKzB10T3PPdHdDSGa911oVB4uHEEnMG8Fr1SvjKb5jX/Cuia3IgKqIzFnWYd

bMtw1sRe3u4hW9M=

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:content-type:mime-version:subject:from

:in-reply-to:date:content-transfer-encoding:message-id

:references:to; s=default; bh=EfADKCCO46p4yQiXrnba5TI+p5A=; b=dc

rR0oQfW47nerL0xHkATe5DICvSpvMLnG3hLakFbtQr50bSph0nG93Wv2HMotaeIK

bZtVUCvETsRFlqnh7Cdr0rDgofLCDuSibUeFukCecJLz0fF4q6Vt/MC2aTJbzWvO

DE9qo40VFHDugcc2Nhg1NhLRXJF0SeQJZ3Uk4KR0g=

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm

List-Id: <cygwin.cygwin.com>

List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>

List-Archive: <http://sourceware.org/ml/cygwin/>

List-Post: <mailto:cygwin AT cygwin DOT com>

List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>

Sender: cygwin-owner AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

Delivered-To: mailing list cygwin AT cygwin DOT com

Authentication-Results: sourceware.org; auth=none

X-Virus-Found: No

X-Spam-SWARE-Status: No, score=-0.5 required=5.0 tests=AWL,BAYES_05,T_RP_MATCHES_RCVD autolearn=ham version=3.3.2

X-HELO: etr-usa.com

Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))

Subject: Re: Cygwin website uses http: (not https:) for .exe downloads, allowing man-in-the-middle attack

From: Warren Young <wyml AT etr-usa DOT com>

In-Reply-To: <CAPbcu1PA=VSL+EFj2uN0eTknNCVWVb8y62BcgotyAhbFqa1G7A@mail.gmail.com>

Date: Thu, 26 Feb 2015 17:39:55 -0700

Message-Id: <0A816C51-DFB8-4A0B-872B-DB1A139F4C08@etr-usa.com>

References: <E1YR6y2-0008G9-Gr AT rmm6prod02 DOT runbox DOT com> <CAPbcu1PA=VSL+EFj2uN0eTknNCVWVb8y62BcgotyAhbFqa1G7A AT mail DOT gmail DOT com>

To: The Cygwin Mailing List <cygwin AT cygwin DOT com>

X-IsSubscribed: yes

X-MIME-Autoconverted: from quoted-printable to 8bit by delorie.com id t1R0eDOq021664

On Feb 26, 2015, at 3:39 PM, Darik Horn <dajhorn AT vanadac DOT com> wrote:
> 
> Note that GPG signatures are published for the Cygwin setup binaries:

If someone can MITM the *.exe files, they can MITM the GPG sigs, too.

You could try and be diligent and check that the signature was made with a GPG key you trust, but Iā€™ll bet most people who have checked this just test whether the signature is valid.

At its worst, GPGā€™s web of trust behaves like todayā€™s overly-trusting web browsers, which may have hundreds of CAs youā€™ve never heard of.  Just because your browser vendor trusts the CA doesnā€™t mean you should, too.  Getting a GPG public key via an untrusted path is exactly like that.

GPG sigs are better for authenticity detection than MD5/SHA hashes, but only by as much as the trustworthiness of the path you got the GPG public key via.
--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

X-Recipient:	archive-cygwin AT delorie DOT com
DomainKey-Signature:	a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:content-type:mime-version:subject:from
	:in-reply-to:date:content-transfer-encoding:message-id
	:references:to; q=dns; s=default; b=wInJicGJtALwiJ9UuzEAyE8Wu49C
	bFg9LfaH85L8sJKGtehxjOLjlyDEd/ICaH22xoOHV4nO2BTMtS+qUvIelBWysdI4
	6n6HgKzB10T3PPdHdDSGa911oVB4uHEEnMG8Fr1SvjKb5jX/Cuia3IgKqIzFnWYd
	bMtw1sRe3u4hW9M=
DKIM-Signature:	v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:content-type:mime-version:subject:from
	:in-reply-to:date:content-transfer-encoding:message-id
	:references:to; s=default; bh=EfADKCCO46p4yQiXrnba5TI+p5A=; b=dc
	rR0oQfW47nerL0xHkATe5DICvSpvMLnG3hLakFbtQr50bSph0nG93Wv2HMotaeIK
	bZtVUCvETsRFlqnh7Cdr0rDgofLCDuSibUeFukCecJLz0fF4q6Vt/MC2aTJbzWvO
	DE9qo40VFHDugcc2Nhg1NhLRXJF0SeQJZ3Uk4KR0g=
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
Authentication-Results:	sourceware.org; auth=none
X-Virus-Found:	No
X-Spam-SWARE-Status:	No, score=-0.5 required=5.0 tests=AWL,BAYES_05,T_RP_MATCHES_RCVD autolearn=ham version=3.3.2
X-HELO:	etr-usa.com
Mime-Version:	1.0 (Mac OS X Mail 8.2 \(2070.6\))
Subject:	Re: Cygwin website uses http: (not https:) for .exe downloads, allowing man-in-the-middle attack
From:	Warren Young <wyml AT etr-usa DOT com>
In-Reply-To:	<CAPbcu1PA=VSL+EFj2uN0eTknNCVWVb8y62BcgotyAhbFqa1G7A@mail.gmail.com>
Date:	Thu, 26 Feb 2015 17:39:55 -0700
Message-Id:	<0A816C51-DFB8-4A0B-872B-DB1A139F4C08@etr-usa.com>
References:	<E1YR6y2-0008G9-Gr AT rmm6prod02 DOT runbox DOT com> <CAPbcu1PA=VSL+EFj2uN0eTknNCVWVb8y62BcgotyAhbFqa1G7A AT mail DOT gmail DOT com>
To:	The Cygwin Mailing List <cygwin AT cygwin DOT com>
X-IsSubscribed:	yes
X-MIME-Autoconverted:	from quoted-printable to 8bit by delorie.com id t1R0eDOq021664