Mail Archives: cygwin/2019/03/09/23:54:55

delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2019/03/09/23:54:55

X-Recipient: archive-cygwin AT delorie DOT com

DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:mime-version:from:date:message-id:subject:to

:content-type; q=dns; s=default; b=IPdC/gg4XmUtnPGDFm1bf38Davn60

WfTWsBvKbWD4Yeh/ZG/+wTcmTSb0tcsU/jPoVfm4kY+qxip9/lnSncNhhihzffRT

4LkmkIRezVdhA/ifFu46a8VWeFYp8qzo4F2MTgywHUNHkfBHClpxBIhIlrmt87pB

FgDMicZ1W0rrOs=

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:mime-version:from:date:message-id:subject:to

:content-type; s=default; bh=qhv6uzB3KswawfZd3ncfI3//txY=; b=LxN

+23EyqzwWI8pxTKm8gW5tfvJGlcSiLFWJCzaJYO/Y5FQs66R9wIx6yh9ivWz7Tlh

iSroPO0bvKD0NSspOPtiRMZCdtpLG8PpvcougoZfkXjTOFZBco/6EyilUV+ARHSI

yMO4FoCfWt2uClEagiBefu4reQzEFXEocfDn0KvI=

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm

List-Id: <cygwin.cygwin.com>

List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>

List-Archive: <http://sourceware.org/ml/cygwin/>

List-Post: <mailto:cygwin AT cygwin DOT com>

List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>

Sender: cygwin-owner AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

Delivered-To: mailing list cygwin AT cygwin DOT com

Authentication-Results: sourceware.org; auth=none

X-Spam-SWARE-Status: No, score=-1.4 required=5.0 tests=AWL,BAYES_00,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.1 spammy=browser, attack, ssl, HX-Languages-Length:802

X-HELO: mail-vs1-f54.google.com

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=Cx340X+6ddNDK2PUlwyH8atzlcfoyPQmalKvA7s8rnk=; b=fZRnVdcIdkKF6/6Pd3FUNGkouwKyrxRHBiv8V0D1aEfZPKK0CreDrltls0zbjpm+4v eFSMlmmioEB7j5SldGbIxLIIaYDGKVyIL1XckvrQIxzK2Lj1Rkr6Ew82tOfzI6KLCqHc Sjn9/Bsxn5VrJi1aUQ/sUpQUemww6uJqJtVZESrVr38ga6OaCLw/jatH1KTIRAXNTL0r P7q1MKEmP2kfiHl9KcPY+xg/lcOafBzxK0jLWdahjBrk/UbXIhtAUCoIpmAHINsbK4sB C2JAWMMKrT9S/xKdg3lvpgRzFEqKFkCCOdJQUhKe5DzABUIL3ZuzDIYhM/nXhNHPoh3x IaKA==

MIME-Version: 1.0

From: Archie Cobbs <archie DOT cobbs AT gmail DOT com>

Date: Sat, 9 Mar 2019 22:54:29 -0600

Message-ID: <CANSoFxtW0Jb1M5KfkFGGOxec_D8ysyYCrnk_PXWjHobLDXZauQ@mail.gmail.com>

Subject: SSL not required for setup.exe download

To: cygwin AT cygwin DOT com

X-IsSubscribed: yes

The FAQ states:

    The Cygwin website provides the setup program (setup-x86.exe or
setup-x86_64.exe) using HTTPS (SSL/TLS).

While this is true, it's not mandatory.

If one happens to go to HTTP://www.cygwin.com instead of
HTTPS://www.cygwin.com, then neither the page you are viewing (which
contains the setup.exe download link), nor the setup.exe download link
itself are secured via SSL.

So someone who just types "cygwin.com" into the browser location bar
and clicks on the setup.exe link is vulnerable to a MTM attack.

It would be safer if http://www.cygwin.com always redirected you to
https://www.cygwin.com, where the page and the link are SSL.

Is there any reason not to force this redirect and close this security hole?

-Archie

--
Archie L. Cobbs

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

X-Recipient:	archive-cygwin AT delorie DOT com
DomainKey-Signature:	a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:from:date:message-id:subject:to
	:content-type; q=dns; s=default; b=IPdC/gg4XmUtnPGDFm1bf38Davn60
	WfTWsBvKbWD4Yeh/ZG/+wTcmTSb0tcsU/jPoVfm4kY+qxip9/lnSncNhhihzffRT
	4LkmkIRezVdhA/ifFu46a8VWeFYp8qzo4F2MTgywHUNHkfBHClpxBIhIlrmt87pB
	FgDMicZ1W0rrOs=
DKIM-Signature:	v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:from:date:message-id:subject:to
	:content-type; s=default; bh=qhv6uzB3KswawfZd3ncfI3//txY=; b=LxN
	+23EyqzwWI8pxTKm8gW5tfvJGlcSiLFWJCzaJYO/Y5FQs66R9wIx6yh9ivWz7Tlh
	iSroPO0bvKD0NSspOPtiRMZCdtpLG8PpvcougoZfkXjTOFZBco/6EyilUV+ARHSI
	yMO4FoCfWt2uClEagiBefu4reQzEFXEocfDn0KvI=
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
Authentication-Results:	sourceware.org; auth=none
X-Spam-SWARE-Status:	No, score=-1.4 required=5.0 tests=AWL,BAYES_00,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.1 spammy=browser, attack, ssl, HX-Languages-Length:802
X-HELO:	mail-vs1-f54.google.com
DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=Cx340X+6ddNDK2PUlwyH8atzlcfoyPQmalKvA7s8rnk=; b=fZRnVdcIdkKF6/6Pd3FUNGkouwKyrxRHBiv8V0D1aEfZPKK0CreDrltls0zbjpm+4v eFSMlmmioEB7j5SldGbIxLIIaYDGKVyIL1XckvrQIxzK2Lj1Rkr6Ew82tOfzI6KLCqHc Sjn9/Bsxn5VrJi1aUQ/sUpQUemww6uJqJtVZESrVr38ga6OaCLw/jatH1KTIRAXNTL0r P7q1MKEmP2kfiHl9KcPY+xg/lcOafBzxK0jLWdahjBrk/UbXIhtAUCoIpmAHINsbK4sB C2JAWMMKrT9S/xKdg3lvpgRzFEqKFkCCOdJQUhKe5DzABUIL3ZuzDIYhM/nXhNHPoh3x IaKA==
MIME-Version:	1.0
From:	Archie Cobbs <archie DOT cobbs AT gmail DOT com>
Date:	Sat, 9 Mar 2019 22:54:29 -0600
Message-ID:	<CANSoFxtW0Jb1M5KfkFGGOxec_D8ysyYCrnk_PXWjHobLDXZauQ@mail.gmail.com>
Subject:	SSL not required for setup.exe download
To:	cygwin AT cygwin DOT com
X-IsSubscribed:	yes