Mail Archives: cygwin/2019/03/10/10:16:32

delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2019/03/10/10:16:32

X-Recipient: archive-cygwin AT delorie DOT com

DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:reply-to:subject:to:references:from:message-id

:date:mime-version:in-reply-to:content-type

:content-transfer-encoding; q=dns; s=default; b=L+0bT9EE0iHzDaii

sKu9gHR0fDW75iuv9PYkm9i98U0myRzmCWPjfWk40/y2SPPh5aKQ3Cs7V8U9mCvN

cCme+gJkA5xgWqDrRoCuURocsxOP47yGYeesb8kDWjHcBLBqINusYXWU2/nqMR70

/CBDW3awoSGaz/LirIWOBATFZlg=

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:reply-to:subject:to:references:from:message-id

:date:mime-version:in-reply-to:content-type

:content-transfer-encoding; s=default; bh=ItlFBYPyx7LBz+IUl0Fhsg

BIF74=; b=tf2xAZBw347BxqAFE4n1t53W6+VbshX9oLEB+4yshcccgp5/ib65q5

5UZuWbi4dH6hOgHLBh0ojov2LBE3GafpLhGAIOebknCLr/KyuNr81On0Mwk14luq

qfTwmwOOI19abGmjizRBAGBPZzphft5sq/oeIlfpu1T1z7Vij4yMo=

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm

List-Id: <cygwin.cygwin.com>

List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>

List-Archive: <http://sourceware.org/ml/cygwin/>

List-Post: <mailto:cygwin AT cygwin DOT com>

List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>

Sender: cygwin-owner AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

Delivered-To: mailing list cygwin AT cygwin DOT com

Authentication-Results: sourceware.org; auth=none

X-Spam-SWARE-Status: No, score=-2.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=ham version=3.3.1 spammy=UD:ca, browser, compliant, supporting

X-HELO: smtp-out-so.shaw.ca

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=shaw.ca; s=s20180605; t=1552227379; bh=5BVcd9gcj8XGA7mp52siTJxGOLpxXiEOf5vbdlN+Ih4=; h=Reply-To:Subject:To:References:From:Date:In-Reply-To; b=OOc8Ig7+QPTXSyLXEEW2UU6usA9tUFYfPo3dF7BswI0y1IB7duXbhpdtibvqvsCu7 koE/IcdWyKA1mAdpCZpgjRkZxQXL3Dq0FnjZeoyW+uvXeLZKunGe7THkU1tF6wMtyO idlUgiLqpSA3OB13AgMqNpsaRIArhGnW4C5TnSZwg0r7EiX6KgnJUdhBmCsQhahAjL CVXJBF2q1gtO1iM7JEC+po0cmxMEzkxHwjdULWMxwNjtZno4jcIteHZA1Xjg+kFc7S q+Rkkf+eV5O4CUSmPyyDCSn1bZYCVV6r8gpGVcFGnlzi+7id/gVHFhmfsGlJmeDSnT sMKc2DNbSA4MQ==

Reply-To: Brian DOT Inglis AT Shaw DOT ca

Subject: Re: SSL not required for setup.exe download

To: cygwin AT cygwin DOT com

References: <CANSoFxtW0Jb1M5KfkFGGOxec_D8ysyYCrnk_PXWjHobLDXZauQ AT mail DOT gmail DOT com>

From: Brian Inglis <Brian DOT Inglis AT Shaw DOT ca>

Openpgp: preference=signencrypt

Message-ID: <1a840c2e-55ac-0ab4-66c4-a1f6a2c4f81a@Shaw.ca>

Date: Sun, 10 Mar 2019 08:16:18 -0600

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.5.3

MIME-Version: 1.0

In-Reply-To: <CANSoFxtW0Jb1M5KfkFGGOxec_D8ysyYCrnk_PXWjHobLDXZauQ@mail.gmail.com>

On 2019-03-09 21:54, Archie Cobbs wrote:
> The FAQ states:
>     The Cygwin website provides the setup program (setup-x86.exe or
> setup-x86_64.exe) using HTTPS (SSL/TLS).
> While this is true, it's not mandatory.
> If one happens to go to HTTP://www.cygwin.com instead of
> HTTPS://www.cygwin.com, then neither the page you are viewing (which
> contains the setup.exe download link), nor the setup.exe download link
> itself are secured via SSL.
> So someone who just types "cygwin.com" into the browser location bar
> and clicks on the setup.exe link is vulnerable to a MTM attack.
> It would be safer if http://www.cygwin.com always redirected you to
> https://www.cygwin.com, where the page and the link are SSL.
> Is there any reason not to force this redirect and close this security hole?

The whole sourceware.org site include cygwin.com uses HSTS which compliant
supporting clients can use to switch to communicating over HTTPS.
Clients which are not compliant or don't support HTTPS may still download the
programs and files.

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

X-Recipient:	archive-cygwin AT delorie DOT com
DomainKey-Signature:	a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:reply-to:subject:to:references:from:message-id
	:date:mime-version:in-reply-to:content-type
	:content-transfer-encoding; q=dns; s=default; b=L+0bT9EE0iHzDaii
	sKu9gHR0fDW75iuv9PYkm9i98U0myRzmCWPjfWk40/y2SPPh5aKQ3Cs7V8U9mCvN
	cCme+gJkA5xgWqDrRoCuURocsxOP47yGYeesb8kDWjHcBLBqINusYXWU2/nqMR70
	/CBDW3awoSGaz/LirIWOBATFZlg=
DKIM-Signature:	v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:reply-to:subject:to:references:from:message-id
	:date:mime-version:in-reply-to:content-type
	:content-transfer-encoding; s=default; bh=ItlFBYPyx7LBz+IUl0Fhsg
	BIF74=; b=tf2xAZBw347BxqAFE4n1t53W6+VbshX9oLEB+4yshcccgp5/ib65q5
	5UZuWbi4dH6hOgHLBh0ojov2LBE3GafpLhGAIOebknCLr/KyuNr81On0Mwk14luq
	qfTwmwOOI19abGmjizRBAGBPZzphft5sq/oeIlfpu1T1z7Vij4yMo=
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
Authentication-Results:	sourceware.org; auth=none
X-Spam-SWARE-Status:	No, score=-2.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=ham version=3.3.1 spammy=UD:ca, browser, compliant, supporting
X-HELO:	smtp-out-so.shaw.ca
DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=shaw.ca; s=s20180605; t=1552227379; bh=5BVcd9gcj8XGA7mp52siTJxGOLpxXiEOf5vbdlN+Ih4=; h=Reply-To:Subject:To:References:From:Date:In-Reply-To; b=OOc8Ig7+QPTXSyLXEEW2UU6usA9tUFYfPo3dF7BswI0y1IB7duXbhpdtibvqvsCu7 koE/IcdWyKA1mAdpCZpgjRkZxQXL3Dq0FnjZeoyW+uvXeLZKunGe7THkU1tF6wMtyO idlUgiLqpSA3OB13AgMqNpsaRIArhGnW4C5TnSZwg0r7EiX6KgnJUdhBmCsQhahAjL CVXJBF2q1gtO1iM7JEC+po0cmxMEzkxHwjdULWMxwNjtZno4jcIteHZA1Xjg+kFc7S q+Rkkf+eV5O4CUSmPyyDCSn1bZYCVV6r8gpGVcFGnlzi+7id/gVHFhmfsGlJmeDSnT sMKc2DNbSA4MQ==
Reply-To:	Brian DOT Inglis AT Shaw DOT ca
Subject:	Re: SSL not required for setup.exe download
To:	cygwin AT cygwin DOT com
References:	<CANSoFxtW0Jb1M5KfkFGGOxec_D8ysyYCrnk_PXWjHobLDXZauQ AT mail DOT gmail DOT com>
From:	Brian Inglis <Brian DOT Inglis AT Shaw DOT ca>
Openpgp:	preference=signencrypt
Message-ID:	<1a840c2e-55ac-0ab4-66c4-a1f6a2c4f81a@Shaw.ca>
Date:	Sun, 10 Mar 2019 08:16:18 -0600
User-Agent:	Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.5.3
MIME-Version:	1.0
In-Reply-To:	<CANSoFxtW0Jb1M5KfkFGGOxec_D8ysyYCrnk_PXWjHobLDXZauQ@mail.gmail.com>