Mail Archives: cygwin/2019/03/10/12:40:52

delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2019/03/10/12:40:52

X-Recipient: archive-cygwin AT delorie DOT com

DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:mime-version:references:in-reply-to:from:date

:message-id:subject:to:content-type; q=dns; s=default; b=N+wufur

00ASHi/IG23cjnTBhq3wLxTmwmpuvmltBKuh7oJmucn9ErNR7kj2+aX7ipnSRJ8M

fTI6ijSHyy42VVsBjl9nrUNThMwb2ZeS3n0UwUptU8m1yXRdnRAgiYF2N8qQoP4/

k1X+1v5n1T1k9WqHRvlFevf174WLD2BpyThk=

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:mime-version:references:in-reply-to:from:date

:message-id:subject:to:content-type; s=default; bh=IFfwRzk0nqeyJ

TNRJa8rlhPysTM=; b=dsaS7g7GwKX9DcIUsEdyvRD3Acvt3ZS40lDwYcd8xS1za

bI43UGWRrsR3uKfu86BEw+XHZs+qlHHMxD/BHgKUmCz1VjgwvZ1QFbULomJpI7bn

i4iEhtPBWggkVixLCKU6H8/LesoaZSg8lESd9FZGb1XYTsf9tNYv37iK/rX4Ps=

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm

List-Id: <cygwin.cygwin.com>

List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>

List-Archive: <http://sourceware.org/ml/cygwin/>

List-Post: <mailto:cygwin AT cygwin DOT com>

List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>

Sender: cygwin-owner AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

Delivered-To: mailing list cygwin AT cygwin DOT com

Authentication-Results: sourceware.org; auth=none

X-Spam-SWARE-Status: No, score=-1.5 required=5.0 tests=AWL,BAYES_00,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.1 spammy=connections, supplying, scenario, HTo:D*ca

X-HELO: mail-ua1-f42.google.com

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=R8x7Mq99ZhhrSqrGg7mpG4Iop4FBP6TEexmGnZimSY0=; b=negaZjTH6WwiSuu1CLCcYqJUvkxSTvK4K4HTwQpTpuOFOBOEp7BnF5ONTtV2esbU47 +DDREtUjZgExh152MG6LhauRC0AxTHuAwIsmlKDVtrIczX54vdgmLadIjVphwbhV2QQp 9AVkVmMsSRy8op0lZADTIjEE0tnJuHgORSkM4wJcbpO/S3W/gQEvdgYe6E1ESBCl76uC D989JNhtuXk4HaDvVDo27BGXHdwJ28HRP1S7nc4l/XI1BilD4s6ZuMcJNpE2YLrrc3iY ehphQqiPLEhEDC1nJTEXoLIG/0Xgg0ntd804QFpDZAJ76KYbNgRKrYyAxTf5qKmFwGHA nZag==

MIME-Version: 1.0

References: <CANSoFxtW0Jb1M5KfkFGGOxec_D8ysyYCrnk_PXWjHobLDXZauQ AT mail DOT gmail DOT com> <1a840c2e-55ac-0ab4-66c4-a1f6a2c4f81a AT Shaw DOT ca>

In-Reply-To: <1a840c2e-55ac-0ab4-66c4-a1f6a2c4f81a@Shaw.ca>

From: Archie Cobbs <archie DOT cobbs AT gmail DOT com>

Date: Sun, 10 Mar 2019 11:40:28 -0500

Message-ID: <CANSoFxtA0vnF1adx4rwyjuMasrVAOGb8hT_Uct-wSdcazj252w@mail.gmail.com>

Subject: Re: SSL not required for setup.exe download

To: Brian DOT Inglis AT shaw DOT ca, cygwin AT cygwin DOT com

X-IsSubscribed: yes

Hi Brian,

On Sun, Mar 10, 2019 at 9:16 AM Brian Inglis <Brian DOT Inglis AT shaw DOT ca> wrote:
> > Is there any reason not to force this redirect and close this security hole?
>
> The whole sourceware.org site include cygwin.com uses HSTS which compliant
> supporting clients can use to switch to communicating over HTTPS.
> Clients which are not compliant or don't support HTTPS may still download the
> programs and files.

I don't see how HSTS solves the particular issue that I'm referring to.

HSTS only applies to connections that are *already* using HTTPS.
Quoting Wikipedia:

    HSTS mechanism overview

    A server implements an HSTS policy by supplying a header over an
HTTPS connection (HSTS headers over HTTP are ignored).

In any case, the problem I'm talking about is trivial to verify. Just
start up Chrome or Firefox and enter http://www.cygwin.com. You can
then confirm that (a) the page you are looking at has an http:// URL,
and (b) the link to setup.exe also has an http:// URL. Therefore,
there is no real security in this scenario.

-Archie

-- 
Archie L. Cobbs

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

X-Recipient:	archive-cygwin AT delorie DOT com
DomainKey-Signature:	a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:references:in-reply-to:from:date
	:message-id:subject:to:content-type; q=dns; s=default; b=N+wufur
	00ASHi/IG23cjnTBhq3wLxTmwmpuvmltBKuh7oJmucn9ErNR7kj2+aX7ipnSRJ8M
	fTI6ijSHyy42VVsBjl9nrUNThMwb2ZeS3n0UwUptU8m1yXRdnRAgiYF2N8qQoP4/
	k1X+1v5n1T1k9WqHRvlFevf174WLD2BpyThk=
DKIM-Signature:	v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:references:in-reply-to:from:date
	:message-id:subject:to:content-type; s=default; bh=IFfwRzk0nqeyJ
	TNRJa8rlhPysTM=; b=dsaS7g7GwKX9DcIUsEdyvRD3Acvt3ZS40lDwYcd8xS1za
	bI43UGWRrsR3uKfu86BEw+XHZs+qlHHMxD/BHgKUmCz1VjgwvZ1QFbULomJpI7bn
	i4iEhtPBWggkVixLCKU6H8/LesoaZSg8lESd9FZGb1XYTsf9tNYv37iK/rX4Ps=
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
Authentication-Results:	sourceware.org; auth=none
X-Spam-SWARE-Status:	No, score=-1.5 required=5.0 tests=AWL,BAYES_00,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.1 spammy=connections, supplying, scenario, HTo:D*ca
X-HELO:	mail-ua1-f42.google.com
DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=R8x7Mq99ZhhrSqrGg7mpG4Iop4FBP6TEexmGnZimSY0=; b=negaZjTH6WwiSuu1CLCcYqJUvkxSTvK4K4HTwQpTpuOFOBOEp7BnF5ONTtV2esbU47 +DDREtUjZgExh152MG6LhauRC0AxTHuAwIsmlKDVtrIczX54vdgmLadIjVphwbhV2QQp 9AVkVmMsSRy8op0lZADTIjEE0tnJuHgORSkM4wJcbpO/S3W/gQEvdgYe6E1ESBCl76uC D989JNhtuXk4HaDvVDo27BGXHdwJ28HRP1S7nc4l/XI1BilD4s6ZuMcJNpE2YLrrc3iY ehphQqiPLEhEDC1nJTEXoLIG/0Xgg0ntd804QFpDZAJ76KYbNgRKrYyAxTf5qKmFwGHA nZag==
MIME-Version:	1.0
References:	<CANSoFxtW0Jb1M5KfkFGGOxec_D8ysyYCrnk_PXWjHobLDXZauQ AT mail DOT gmail DOT com> <1a840c2e-55ac-0ab4-66c4-a1f6a2c4f81a AT Shaw DOT ca>
In-Reply-To:	<1a840c2e-55ac-0ab4-66c4-a1f6a2c4f81a@Shaw.ca>
From:	Archie Cobbs <archie DOT cobbs AT gmail DOT com>
Date:	Sun, 10 Mar 2019 11:40:28 -0500
Message-ID:	<CANSoFxtA0vnF1adx4rwyjuMasrVAOGb8hT_Uct-wSdcazj252w@mail.gmail.com>
Subject:	Re: SSL not required for setup.exe download
To:	Brian DOT Inglis AT shaw DOT ca, cygwin AT cygwin DOT com
X-IsSubscribed:	yes