Mail Archives: cygwin/2019/03/11/09:44:24

delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2019/03/11/09:44:24

X-Recipient: archive-cygwin AT delorie DOT com

DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:mime-version:references:in-reply-to:from:date

:message-id:subject:to:content-type; q=dns; s=default; b=pD+jcNo

NvNbO8oJaKT1tvhtT8+z78PVksVjOPrrMHX3tAEOmEHLihFCo7/+C+yH/hgMLJKO

K3YTi5kWoPqZ6BCPpQVXSoC9zHFS2UNR+J3ygkpP+SVRR/6acXfalWH8javVSX2w

UzbtiYN+c7Q1zDRmzunE+piznsam1l7PeJO0=

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:mime-version:references:in-reply-to:from:date

:message-id:subject:to:content-type; s=default; bh=eoV2vl0i4JTfs

VVqVeaXiEQ1E+w=; b=rUXQ117cT+3GxJpv83XImFbTj4g3+gzcbQ2YXPfFUlMfJ

nVPD27bqZ/P0PKJKii9Ug5xufQLyBtQjlVHA060yo1GNilgP5DHNT/qzr55IwZG6

N5sKtItv0CevFToiiVCtpqIBxx4N9nPcceXbQ0UnVYPbyDdW68iY2PYk4GFhxw=

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm

List-Id: <cygwin.cygwin.com>

List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>

List-Archive: <http://sourceware.org/ml/cygwin/>

List-Post: <mailto:cygwin AT cygwin DOT com>

List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>

Sender: cygwin-owner AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

Delivered-To: mailing list cygwin AT cygwin DOT com

Authentication-Results: sourceware.org; auth=none

X-Spam-SWARE-Status: No, score=-1.5 required=5.0 tests=AWL,BAYES_00,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.1 spammy=clearing, site

X-HELO: mail-ua1-f46.google.com

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=lZmADirGwWfQ0RxtEHm71ymwyLKnikxMD7pKg/NgVys=; b=eB+pCj/EIU9+6Oi0zeaQQfuof1ptjY7BgKk/udoyC8taWKkLQKdVhbVpo7iFJHSKn4 pNhDUO1e4KGmFJfn5yufoCH8kIVwP1liz68YFKSxc1HxbcBMNISiE7+MuikDCr2k97CM 1uJ+EdDSZW2Jdpj4D76dwzYydW9juXMcuJTpmpL+gMYS31uqSsqtqoPbbjezakjSuiQ3 AVve2KGdTJe8SpiBmc7Q5NsMIAiTmTXDo7Q7lATAzrW1AzyD7QTVAb5sX/t+8NmPkJdg gZz/K7pCt6WIxHxeg9kYRFe9Ygp/f8wa5rKVsb+0Hm8ovSRGzMVdyHprTUnPzGOFEMuL 5gRQ==

MIME-Version: 1.0

References: <CANSoFxtW0Jb1M5KfkFGGOxec_D8ysyYCrnk_PXWjHobLDXZauQ AT mail DOT gmail DOT com> <1a840c2e-55ac-0ab4-66c4-a1f6a2c4f81a AT Shaw DOT ca> <CANSoFxtA0vnF1adx4rwyjuMasrVAOGb8hT_Uct-wSdcazj252w AT mail DOT gmail DOT com> <41f12842-ea43-ff63-a660-26ee3b497c63 AT SystematicSw DOT ab DOT ca>

In-Reply-To: <41f12842-ea43-ff63-a660-26ee3b497c63@SystematicSw.ab.ca>

From: Archie Cobbs <archie DOT cobbs AT gmail DOT com>

Date: Mon, 11 Mar 2019 08:43:57 -0500

Message-ID: <CANSoFxtLzGgcOhrsu4h0eXXnpezB6v17cGwOrqy6SjSvJ__gLA@mail.gmail.com>

Subject: Re: SSL not required for setup.exe download

To: Brian DOT Inglis AT systematicsw DOT ab DOT ca, cygwin AT cygwin DOT com

X-IsSubscribed: yes

On Sun, Mar 10, 2019 at 10:51 PM Brian Inglis
<Brian DOT Inglis AT systematicsw DOT ab DOT ca> wrote:
> >>> Is there any reason not to force this redirect and close this security hole?
>
> There are apparently reasons not to force this redirect as it can also cause a
> security hole.

That's really interesting. Can you provide more detail?

> >> The whole sourceware.org site include cygwin.com uses HSTS which compliant
> >> supporting clients can use to switch to communicating over HTTPS.
> >> Clients which are not compliant or don't support HTTPS may still download the
> >> programs and files.
> >
> > I don't see how HSTS solves the particular issue that I'm referring to.
>
> HSTS redirects requests from port 80 to 443 (HTTPS).

Not for me. Well, actually I'm getting inconsistent results...

On Mac OS X, neither Firefox, Chrome nor Safari will redirect to SSL.

On an old Windows 7 system, neither IE 8 (no surprise there) or Chrome
redirects.

However, with Chrome, it does not redirect at first, but once I've
manually entered https://www.cygwin.com it seems to "realize" that a
secure site exists, and after that it starts redirecting to SSL.

I can revert that behavior by clearing the cache.

So it seems in the case of Chrome, it has to be "taught" about the
existence of the secure site... which of course takes us right back to
the original problem.

-AC

-- 
Archie L. Cobbs

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

X-Recipient:	archive-cygwin AT delorie DOT com
DomainKey-Signature:	a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:references:in-reply-to:from:date
	:message-id:subject:to:content-type; q=dns; s=default; b=pD+jcNo
	NvNbO8oJaKT1tvhtT8+z78PVksVjOPrrMHX3tAEOmEHLihFCo7/+C+yH/hgMLJKO
	K3YTi5kWoPqZ6BCPpQVXSoC9zHFS2UNR+J3ygkpP+SVRR/6acXfalWH8javVSX2w
	UzbtiYN+c7Q1zDRmzunE+piznsam1l7PeJO0=
DKIM-Signature:	v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:references:in-reply-to:from:date
	:message-id:subject:to:content-type; s=default; bh=eoV2vl0i4JTfs
	VVqVeaXiEQ1E+w=; b=rUXQ117cT+3GxJpv83XImFbTj4g3+gzcbQ2YXPfFUlMfJ
	nVPD27bqZ/P0PKJKii9Ug5xufQLyBtQjlVHA060yo1GNilgP5DHNT/qzr55IwZG6
	N5sKtItv0CevFToiiVCtpqIBxx4N9nPcceXbQ0UnVYPbyDdW68iY2PYk4GFhxw=
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
Authentication-Results:	sourceware.org; auth=none
X-Spam-SWARE-Status:	No, score=-1.5 required=5.0 tests=AWL,BAYES_00,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.1 spammy=clearing, site
X-HELO:	mail-ua1-f46.google.com
DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=lZmADirGwWfQ0RxtEHm71ymwyLKnikxMD7pKg/NgVys=; b=eB+pCj/EIU9+6Oi0zeaQQfuof1ptjY7BgKk/udoyC8taWKkLQKdVhbVpo7iFJHSKn4 pNhDUO1e4KGmFJfn5yufoCH8kIVwP1liz68YFKSxc1HxbcBMNISiE7+MuikDCr2k97CM 1uJ+EdDSZW2Jdpj4D76dwzYydW9juXMcuJTpmpL+gMYS31uqSsqtqoPbbjezakjSuiQ3 AVve2KGdTJe8SpiBmc7Q5NsMIAiTmTXDo7Q7lATAzrW1AzyD7QTVAb5sX/t+8NmPkJdg gZz/K7pCt6WIxHxeg9kYRFe9Ygp/f8wa5rKVsb+0Hm8ovSRGzMVdyHprTUnPzGOFEMuL 5gRQ==
MIME-Version:	1.0
References:	<CANSoFxtW0Jb1M5KfkFGGOxec_D8ysyYCrnk_PXWjHobLDXZauQ AT mail DOT gmail DOT com> <1a840c2e-55ac-0ab4-66c4-a1f6a2c4f81a AT Shaw DOT ca> <CANSoFxtA0vnF1adx4rwyjuMasrVAOGb8hT_Uct-wSdcazj252w AT mail DOT gmail DOT com> <41f12842-ea43-ff63-a660-26ee3b497c63 AT SystematicSw DOT ab DOT ca>
In-Reply-To:	<41f12842-ea43-ff63-a660-26ee3b497c63@SystematicSw.ab.ca>
From:	Archie Cobbs <archie DOT cobbs AT gmail DOT com>
Date:	Mon, 11 Mar 2019 08:43:57 -0500
Message-ID:	<CANSoFxtLzGgcOhrsu4h0eXXnpezB6v17cGwOrqy6SjSvJ__gLA@mail.gmail.com>
Subject:	Re: SSL not required for setup.exe download
To:	Brian DOT Inglis AT systematicsw DOT ab DOT ca, cygwin AT cygwin DOT com
X-IsSubscribed:	yes