Mail Archives: cygwin/2019/03/11/18:14:36

delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2019/03/11/18:14:36

X-Recipient: archive-cygwin AT delorie DOT com

DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:mime-version:references:in-reply-to:from:date

:message-id:subject:to:content-type; q=dns; s=default; b=Zo9yL4b

AnwtiEAWxDCsEXsxH98xrEkldDGxF6Ki9HRH7p9aKnsyPaMcDukDRbDPqbICpVGt

TmyqVI2M9yXuVYYj48BzPBqACtcErzLCUzhKxeoyHgmi0/YJM4XTLPp6URTKZdtl

QA1UrviH7INkpgbuv60l/pkbTBo1jAHxeXPc=

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:mime-version:references:in-reply-to:from:date

:message-id:subject:to:content-type; s=default; bh=nybb3p/uqYcKQ

AKW74CRcC+fhYs=; b=NsrTwQjWnE/AOKP+UNaL8l5kMBGnfCW7yFs/uEhZlQ0KA

8hV2Zu9OuwooNTJbdyqIF5FsubasmLBZT+T+FLA0KCicOCYAcnIfSqRbMjT+acca

MP4UDgVjVW1k0wUXEspstjRvKZ8bV1IOL35rtH+Zo3Q3EhuQ7OTrvZLeWxPt+E=

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm

List-Id: <cygwin.cygwin.com>

List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>

List-Archive: <http://sourceware.org/ml/cygwin/>

List-Post: <mailto:cygwin AT cygwin DOT com>

List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>

Sender: cygwin-owner AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

Delivered-To: mailing list cygwin AT cygwin DOT com

Authentication-Results: sourceware.org; auth=none

X-Spam-SWARE-Status: No, score=-1.6 required=5.0 tests=AWL,BAYES_00,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.1 spammy=attacks, attack

X-HELO: mail-vk1-f182.google.com

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=iMdS0YrAOsjuxKkUs4eteSlhFDkaWwJMWl+Vrq+J61U=; b=NE74Sqqxg6lZDRAGMJnQKwIAY0y0DudAN9uV5bLZWNnN+DZQqJneg2TqoA5cIHZaEy NvZOjRoOTkRkfQryT2tSr/8v6dRidiBvTlZGv1XcJWQiOEV0OQ/W/CCt9d5Etk0+qw6g gjZB3NTN8NMkAaYjxyaWK0owIIRluBtNwH2f7R7f486nEuW4eo0winzmBziYBoQaFF0X hNVC7NSJ7JqOvvKNkQOIcJd1MKXWRli8/FHAvaX4FgN7y2YHgCCfvlkllz0qo++R/71L TxIr7+M/b+nkWkeKR/ndg0FpUK0/jFdjGEXU6ptFjmr9cSZcgW9srN4vo79LMOivrRyT /yzA==

MIME-Version: 1.0

References: <CANSoFxtW0Jb1M5KfkFGGOxec_D8ysyYCrnk_PXWjHobLDXZauQ AT mail DOT gmail DOT com> <1a840c2e-55ac-0ab4-66c4-a1f6a2c4f81a AT Shaw DOT ca> <CANSoFxtA0vnF1adx4rwyjuMasrVAOGb8hT_Uct-wSdcazj252w AT mail DOT gmail DOT com> <41f12842-ea43-ff63-a660-26ee3b497c63 AT SystematicSw DOT ab DOT ca> <CANSoFxtLzGgcOhrsu4h0eXXnpezB6v17cGwOrqy6SjSvJ__gLA AT mail DOT gmail DOT com> <1b570593-0ec7-0890-26ef-7e7468534f47 AT SystematicSw DOT ab DOT ca>

In-Reply-To: <1b570593-0ec7-0890-26ef-7e7468534f47@SystematicSw.ab.ca>

From: Archie Cobbs <archie DOT cobbs AT gmail DOT com>

Date: Mon, 11 Mar 2019 17:14:11 -0500

Message-ID: <CANSoFxsq+5OfRH7RF3QdpMSJU-4JAKSCZM-rUUysP5Y3myR0+Q@mail.gmail.com>

Subject: Re: SSL not required for setup.exe download

To: Brian DOT Inglis AT systematicsw DOT ab DOT ca, cygwin AT cygwin DOT com

X-IsSubscribed: yes

On Mon, Mar 11, 2019 at 2:43 PM Brian Inglis
<Brian DOT Inglis AT systematicsw DOT ab DOT ca> wrote:
> On 2019-03-11 07:43, Archie Cobbs wrote:
> > On Sun, Mar 10, 2019 at 10:51 PM Brian Inglis wrote:
> >>>>> Is there any reason not to force this redirect and close this security hole?
> >> There are apparently reasons not to force this redirect as it can also cause a
> >> security hole.
> > That's really interesting. Can you provide more detail?
>
> Search for HTTP HTTPS redirection SSL stripping MitM attack

I did, but I only get results relating to the "stripping" attack,
which downgrades from HTTPS to HTTP.

Obviously that would cause a reduction in security... But what I'm
suggesting is the opposite: redirecting from HTTP to HTTPS.

How could that reduce security?

(sigh)

I must say I'm surprised so many people think it's a good idea to
leave cygwin open to trivial MITM attacks, which is the current state
of affairs.

This is my opinion only of course, but if cygwin wants to have any
security credibility, it should simply disallow non-SSL downloads of
setup.exe. Otherwise the chain of authenticity is broken forever.

-AC

-- 
Archie L. Cobbs

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

X-Recipient:	archive-cygwin AT delorie DOT com
DomainKey-Signature:	a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:references:in-reply-to:from:date
	:message-id:subject:to:content-type; q=dns; s=default; b=Zo9yL4b
	AnwtiEAWxDCsEXsxH98xrEkldDGxF6Ki9HRH7p9aKnsyPaMcDukDRbDPqbICpVGt
	TmyqVI2M9yXuVYYj48BzPBqACtcErzLCUzhKxeoyHgmi0/YJM4XTLPp6URTKZdtl
	QA1UrviH7INkpgbuv60l/pkbTBo1jAHxeXPc=
DKIM-Signature:	v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:references:in-reply-to:from:date
	:message-id:subject:to:content-type; s=default; bh=nybb3p/uqYcKQ
	AKW74CRcC+fhYs=; b=NsrTwQjWnE/AOKP+UNaL8l5kMBGnfCW7yFs/uEhZlQ0KA
	8hV2Zu9OuwooNTJbdyqIF5FsubasmLBZT+T+FLA0KCicOCYAcnIfSqRbMjT+acca
	MP4UDgVjVW1k0wUXEspstjRvKZ8bV1IOL35rtH+Zo3Q3EhuQ7OTrvZLeWxPt+E=
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
Authentication-Results:	sourceware.org; auth=none
X-Spam-SWARE-Status:	No, score=-1.6 required=5.0 tests=AWL,BAYES_00,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.1 spammy=attacks, attack
X-HELO:	mail-vk1-f182.google.com
DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=iMdS0YrAOsjuxKkUs4eteSlhFDkaWwJMWl+Vrq+J61U=; b=NE74Sqqxg6lZDRAGMJnQKwIAY0y0DudAN9uV5bLZWNnN+DZQqJneg2TqoA5cIHZaEy NvZOjRoOTkRkfQryT2tSr/8v6dRidiBvTlZGv1XcJWQiOEV0OQ/W/CCt9d5Etk0+qw6g gjZB3NTN8NMkAaYjxyaWK0owIIRluBtNwH2f7R7f486nEuW4eo0winzmBziYBoQaFF0X hNVC7NSJ7JqOvvKNkQOIcJd1MKXWRli8/FHAvaX4FgN7y2YHgCCfvlkllz0qo++R/71L TxIr7+M/b+nkWkeKR/ndg0FpUK0/jFdjGEXU6ptFjmr9cSZcgW9srN4vo79LMOivrRyT /yzA==
MIME-Version:	1.0
References:	<CANSoFxtW0Jb1M5KfkFGGOxec_D8ysyYCrnk_PXWjHobLDXZauQ AT mail DOT gmail DOT com> <1a840c2e-55ac-0ab4-66c4-a1f6a2c4f81a AT Shaw DOT ca> <CANSoFxtA0vnF1adx4rwyjuMasrVAOGb8hT_Uct-wSdcazj252w AT mail DOT gmail DOT com> <41f12842-ea43-ff63-a660-26ee3b497c63 AT SystematicSw DOT ab DOT ca> <CANSoFxtLzGgcOhrsu4h0eXXnpezB6v17cGwOrqy6SjSvJ__gLA AT mail DOT gmail DOT com> <1b570593-0ec7-0890-26ef-7e7468534f47 AT SystematicSw DOT ab DOT ca>
In-Reply-To:	<1b570593-0ec7-0890-26ef-7e7468534f47@SystematicSw.ab.ca>
From:	Archie Cobbs <archie DOT cobbs AT gmail DOT com>
Date:	Mon, 11 Mar 2019 17:14:11 -0500
Message-ID:	<CANSoFxsq+5OfRH7RF3QdpMSJU-4JAKSCZM-rUUysP5Y3myR0+Q@mail.gmail.com>
Subject:	Re: SSL not required for setup.exe download
To:	Brian DOT Inglis AT systematicsw DOT ab DOT ca, cygwin AT cygwin DOT com
X-IsSubscribed:	yes