| delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| DomainKey-Signature: | a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:message-id:date:from:mime-version:to:subject | |
| :references:in-reply-to:content-type:content-transfer-encoding; | |
| q=dns; s=default; b=XoVnEJYfe6C2OFMGuGWigkJIgjnjWWd/eHAzqOyCqz1 | |
| QSQ7rdhqQ5W07l6nWL6GE6xpm3Dsq9yRiYZbx4wBajFbBm35A1m6QmpX29f6nkwe | |
| bD5+n8C4hJis3Bb3calzkvCKerRo4gF+uK2SQK7jqB9d4zI33mf4eT+V+eVGiF1k | |
| = | |
| DKIM-Signature: | v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:message-id:date:from:mime-version:to:subject | |
| :references:in-reply-to:content-type:content-transfer-encoding; | |
| s=default; bh=OmlxbWmrFirZRls3tFafiBeWrEc=; b=nRGYICjP6eTbTpei+ | |
| VyuK14y20EPrvNDTCHh9WLxTxnBCSvczGFzL/zx89aDK1kbQ0cWs7besv6LvKFbP | |
| J+WBXrNO59JrBaqRwgAKfoH/h3Q+Q8RWBxRGmY65btCl852nRihdAH1YmCa/LwzP | |
| H0bFnd1avxzT5azjMDOplKbG0I= | |
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm |
| List-Id: | <cygwin.cygwin.com> |
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com> |
| List-Archive: | <http://sourceware.org/ml/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs> |
| Sender: | cygwin-owner AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| Delivered-To: | mailing list cygwin AT cygwin DOT com |
| Authentication-Results: | sourceware.org; auth=none |
| X-Spam-SWARE-Status: | No, score=-5.7 required=5.0 tests=AWL,BAYES_00,GIT_PATCH_2 autolearn=ham version=3.3.1 spammy=harder, Google, google, site |
| X-HELO: | Ishtar.sc.tlinx.org |
| Message-ID: | <5C859BB7.4040900@tlinx.org> |
| Date: | Sun, 10 Mar 2019 16:20:23 -0700 |
| From: | L A Walsh <cygwin AT tlinx DOT org> |
| User-Agent: | Thunderbird |
| MIME-Version: | 1.0 |
| To: | cygwin AT cygwin DOT com |
| Subject: | Re: SSL not required for setup.exe download |
| References: | <CANSoFxtW0Jb1M5KfkFGGOxec_D8ysyYCrnk_PXWjHobLDXZauQ AT mail DOT gmail DOT com> <fcfccbe3-a4e3-2f75-a2f4-23d12abc5a70 AT SystematicSw DOT ab DOT ca> |
| In-Reply-To: | <fcfccbe3-a4e3-2f75-a2f4-23d12abc5a70@SystematicSw.ab.ca> |
| X-IsSubscribed: | yes |
On 3/10/2019 7:16 AM, Brian Inglis wrote:
> On 2019-03-09 21:54, Archie Cobbs wrote:
>> It would be safer if http://www.cygwin.com always redirected you to
>> https://www.cygwin.com, where the page and the link are SSL.
>> Is there any reason not to force this redirect and close this security hole?
>>
----
I think the point is that if you redirect and a client can't
speak https, what happens? Wouldn't they get an error that would
prevent them from using the site?
Google has a vested interest in getting people locked in on
https -- makes it much harder for people to use proxies and lower
their requests to google and for them to block some requests. They get
to control what you get -- not you.
>
> The whole sourceware.org site include cygwin.com uses HSTS which compliant
> supporting clients can use to switch to communicating over HTTPS.
> Clients which are not compliant or don't support HTTPS may still download the
> programs and files.
>
>
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |