| delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| DomainKey-Signature: | a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:message-id:date:from:mime-version:to:cc | |
| :subject:references:in-reply-to:content-type | |
| :content-transfer-encoding; q=dns; s=default; b=MLdEIOf8vIIrY+Yy | |
| DhD+oeIymxm82vNF9tTwPaK+Hu3n02xHYLRVh8Z++oqtVo7ag8CKdVv8PUXlLaBP | |
| /ktzINeDgA7wWlvw0ZVjciyooCsL8XayTMHuQormuGGgTAvaNWWo34evk55AoqvO | |
| P92Hq/KeEEtZZJyzXOZzAj+7Tyc= | |
| DKIM-Signature: | v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:message-id:date:from:mime-version:to:cc | |
| :subject:references:in-reply-to:content-type | |
| :content-transfer-encoding; s=default; bh=37QPmNH3E2Kn1JQr0X+Ccp | |
| 5EDxk=; b=LKkSx6j3lKedBtUoyjZuINp+KThkNTnU+XnJG1eSJlPhd+UhbkgtWd | |
| NqgYHQaDUxTEdoH6LDOIPLnMVZbYyo6r8oW8m0BPS+yFBf8Z8gZZou+s1i0HHIym | |
| 8nWVl0bd/VfzHigxGdIbtvAv0M+oZKsy4w7j96/NCyuKsCus+pOhs= | |
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm |
| List-Id: | <cygwin.cygwin.com> |
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com> |
| List-Archive: | <http://sourceware.org/ml/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs> |
| Sender: | cygwin-owner AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| Delivered-To: | mailing list cygwin AT cygwin DOT com |
| Authentication-Results: | sourceware.org; auth=none |
| X-Spam-SWARE-Status: | No, score=-6.0 required=5.0 tests=AWL,BAYES_00,GIT_PATCH_2 autolearn=ham version=3.3.1 spammy=behaviors, Somehow, site |
| X-HELO: | Ishtar.sc.tlinx.org |
| Message-ID: | <5C86C415.3000807@tlinx.org> |
| Date: | Mon, 11 Mar 2019 13:24:53 -0700 |
| From: | L A Walsh <cygwin AT tlinx DOT org> |
| User-Agent: | Thunderbird |
| MIME-Version: | 1.0 |
| To: | archie DOT cobbs AT gmail DOT com |
| CC: | cygwin AT cygwin DOT com |
| Subject: | Re: SSL should not be required for open source downloading |
| References: | <CANSoFxtW0Jb1M5KfkFGGOxec_D8ysyYCrnk_PXWjHobLDXZauQ AT mail DOT gmail DOT com> <1a840c2e-55ac-0ab4-66c4-a1f6a2c4f81a AT Shaw DOT ca> <CANSoFxtA0vnF1adx4rwyjuMasrVAOGb8hT_Uct-wSdcazj252w AT mail DOT gmail DOT com> <41f12842-ea43-ff63-a660-26ee3b497c63 AT SystematicSw DOT ab DOT ca> <CANSoFxtLzGgcOhrsu4h0eXXnpezB6v17cGwOrqy6SjSvJ__gLA AT mail DOT gmail DOT com> |
| In-Reply-To: | <CANSoFxtLzGgcOhrsu4h0eXXnpezB6v17cGwOrqy6SjSvJ__gLA@mail.gmail.com> |
| X-IsSubscribed: | yes |
On 3/11/2019 6:43 AM, Archie Cobbs wrote:
> On Sun, Mar 10, 2019 at 10:51 PM Brian Inglis
> <Brian DOT Inglis AT systematicsw DOT ab DOT ca> wrote:
>
>>>>> Is there any reason not to force this redirect and close this security hole?
>>>>>
>> There are apparently reasons not to force this redirect as it can also cause a
>> security hole.
>>
>
> That's really interesting. Can you provide more detail?
>
I know that was directed at Brian, but...
Because if the assumption is that the site uses https or will redirect it,
then to start the session the client would send startTLS parameters.
If it so happens that part of the site, does not use https, then
an attacker could grab those initial parameters. Somehow providing
"opensource" binaries doesn't seem like the type of thing that needs
or should even have encryption.
>
>>>> The whole sourceware.org site include cygwin.com uses HSTS which compliant supporting clients can use to switch to communicating over HTTPS. Clients which are not compliant or don't support HTTPS may still download the programs and files.
>>>>
>>> I don't see how HSTS solves the particular issue that I'm referring to.
>>>
>> HSTS redirects requests from port 80 to 443 (HTTPS).
>>
>
> Not for me. Well, actually I'm getting inconsistent results...
> On Mac OS X, neither Firefox, Chrome nor Safari will redirect to SSL.
>
FWIW, apple customizes their library behaviors and doesn't always follow the
standards.
> On an old Windows 7 system, neither IE 8 (no surprise there) or Chrome
> redirects.
>
---
HSTS is only set from HTTPS. If you only access the site in cleartext,
that is what you will get. If you don't understand HSTS, perhaps reading
and understanding the document would be good before promoting it -- just
sayin'.
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |