delorie.com/archives/browse.cgi   search  
Mail Archives: cygwin/2019/03/11/18:59:51

X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
:list-unsubscribe:list-subscribe:list-archive:list-post
:list-help:sender:mime-version:in-reply-to:references:from:date
:message-id:subject:to:content-type; q=dns; s=default; b=jMQMXRT
TTRlTxMFlWSBymTSBNOmjXg/xM5LL5my6TvrvcRLcd62yZlYwTlo+cBvWayS8Pls
QGEtRK3GAgIrwHdBrBAxHI+/3MM80I378hO6IsbdgU2qpEN7TAmqO+duVuV8LV6q
Pm/Pj003i1GMc82liOiitG600Ux7LBDzm2a0=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
:list-unsubscribe:list-subscribe:list-archive:list-post
:list-help:sender:mime-version:in-reply-to:references:from:date
:message-id:subject:to:content-type; s=default; bh=AuiJHp1s8ii8J
KgLqYqRFYcie1c=; b=c/q+JCRvd+IOP8DKYX3JReH0hap79u8DdYVE0GnN69BoV
BJO6SZ1RgyMYe6nr6gzT70M7hKqMdw1lapodVgao7VEk8zPj0/F512rDTBCn4anJ
EOwqtCDq3VyZWOdOfQ4BouIpatIUc30afpnly58ILrQG/T+6En52zZDw9jnO7E=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=1.6 required=5.0 tests=AWL,BAYES_00,EXECUTABLE_URI,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,KAM_EXEURI,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=no version=3.3.1 spammy=attack
X-HELO: mail-qt1-f177.google.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=Sw6AImPJfbNqHAbezReOjPGUWt5GCiyZRG2eRt6ZEjI=; b=ieEq/G1aYpE/1WnSpkuuP8Mm7LNXKak2+0hWWU30rP2J+hzWM8mcdpiG0z7zRcObdT KQiEVy8/GudZfzoV8sW+ph+/AG4dyjuMuz4x7FazW7nTiYShGipdc58EhzoW7nQT4bEh Y1v1wOnhzK6IRb0WTnibZ/IuoN2WXzJze0N9IKYrk4N2bYh0c53jKf6oaGDDBv36e+Ar BlSdD9qWlbAiHtQbnqdy5VPVWjhKPzw2c0i+fb7G+xlkdCdWCTHyhFV+O8sIs3hp+AL5 c1TiX9FYPdZY1YK7gZosY76kAeBoFxYeMyyRQRwXNQyPy3cqSfLD7uMpxQ3ihf0Jn2xl rrOg==
MIME-Version: 1.0
In-Reply-To: <CANSoFxsq+5OfRH7RF3QdpMSJU-4JAKSCZM-rUUysP5Y3myR0+Q@mail.gmail.com>
References: <CANSoFxtW0Jb1M5KfkFGGOxec_D8ysyYCrnk_PXWjHobLDXZauQ AT mail DOT gmail DOT com> <1a840c2e-55ac-0ab4-66c4-a1f6a2c4f81a AT Shaw DOT ca> <CANSoFxtA0vnF1adx4rwyjuMasrVAOGb8hT_Uct-wSdcazj252w AT mail DOT gmail DOT com> <41f12842-ea43-ff63-a660-26ee3b497c63 AT SystematicSw DOT ab DOT ca> <CANSoFxtLzGgcOhrsu4h0eXXnpezB6v17cGwOrqy6SjSvJ__gLA AT mail DOT gmail DOT com> <1b570593-0ec7-0890-26ef-7e7468534f47 AT SystematicSw DOT ab DOT ca> <CANSoFxsq+5OfRH7RF3QdpMSJU-4JAKSCZM-rUUysP5Y3myR0+Q AT mail DOT gmail DOT com>
From: Lee <ler762 AT gmail DOT com>
Date: Mon, 11 Mar 2019 18:59:36 -0400
Message-ID: <CAD8GWsu+P_d8RCiibkZ068oRAf8yeu=W5CLFO+ZNXGxjUcBOpw@mail.gmail.com>
Subject: Re: SSL not required for setup.exe download
To: cygwin AT cygwin DOT com
X-IsSubscribed: yes 

On 3/11/19, Archie Cobbs wrote:
> On Mon, Mar 11, 2019 at 2:43 PM Brian Inglis wrote:
>> On 2019-03-11 07:43, Archie Cobbs wrote:
>> > On Sun, Mar 10, 2019 at 10:51 PM Brian Inglis wrote:
>> >>>>> Is there any reason not to force this redirect and close this
>> >>>>> security hole?
>> >> There are apparently reasons not to force this redirect as it can also
>> >> cause a
>> >> security hole.
>> > That's really interesting. Can you provide more detail?
>>
>> Search for HTTP HTTPS redirection SSL stripping MitM attack
>
> I did, but I only get results relating to the "stripping" attack,
> which downgrades from HTTPS to HTTP.
>
> Obviously that would cause a reduction in security... But what I'm
> suggesting is the opposite: redirecting from HTTP to HTTPS.
>
> How could that reduce security?

part of "security" is "availability".  If whatever doing the download
isn't able to do TLS then redirecting to https://cygwin.com makes
cygwin.com unavailable.

> (sigh)
>
> I must say I'm surprised so many people think it's a good idea to
> leave cygwin open to trivial MITM attacks, which is the current state
> of affairs.

But it's only open to a trivial MITM attack if the user types in
"http://cygwin.com" - correct?  Why isn't the fix "don't do that"?

> This is my opinion only of course, but if cygwin wants to have any
> security credibility, it should simply disallow non-SSL downloads of
> setup.exe. Otherwise the chain of authenticity is broken forever.

They sign setup.exe, so "the chain of authenticity" is there regardless.
  https://cygwin.com/setup-x86_64.exe
  https://cygwin.com/setup-x86_64.exe.sig

Regards,
Lee

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -


  webmaster     delorie software   privacy  
  Copyright © 2019   by DJ Delorie     Updated Jul 2019