Mail Archives: cygwin/2019/03/12/15:22:11

delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2019/03/12/15:22:11

X-Recipient: archive-cygwin AT delorie DOT com

DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:from:to:subject:references:date:in-reply-to

:message-id:mime-version:content-type; q=dns; s=default; b=phR9v

mFuVe6wHYicJGfE4VqRrwtV6VPbEEwQU8ESAC5LF6CPJ1sKkaT7/S1BSEnR51S4z

MDO+1NKd7aAVDNHLSFpHhLAkfhNT7hSBB6bA0Lhd0Qku0eqoxlsxb1MZ8HU5gjpR

gFoGu1sN2c9TJhgC2J2IT4oL6da/6vza2vkGfQ=

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:from:to:subject:references:date:in-reply-to

:message-id:mime-version:content-type; s=default; bh=Uf1ceSke1k/

iaCKJiEkiWW5FLpk=; b=svHdcSg+h/LTjOKguQsw+9FXwQQvTMPghI54o/0gCNZ

+s+mpgaa1PDQfDUCfjM7YADxohRj9gLXjiuCyNLkNgB43jMHisR/yXV48FDuX7m0

eqa2Tx3DkPmZitTq4mfvQ7vj3EghXSk4kBk1a0Ms1gZqQhL6YbGL0dN3gNBBPcd8

=

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm

List-Id: <cygwin.cygwin.com>

List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>

List-Archive: <http://sourceware.org/ml/cygwin/>

List-Post: <mailto:cygwin AT cygwin DOT com>

List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>

Sender: cygwin-owner AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

Delivered-To: mailing list cygwin AT cygwin DOT com

Authentication-Results: sourceware.org; auth=none

X-Spam-SWARE-Status: No, score=-2.4 required=5.0 tests=AWL,BAYES_00,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=ham version=3.3.1 spammy=channel, attack, HX-Languages-Length:1252, HX-Spam-Relays-External:ESMTPA

X-HELO: vsmx009.vodafonemail.xion.oxcs.net

From: Achim Gratz <Stromeko AT nexgo DOT de>

To: cygwin AT cygwin DOT com

Subject: Re: SSL not required for setup.exe download

References: <CANSoFxtW0Jb1M5KfkFGGOxec_D8ysyYCrnk_PXWjHobLDXZauQ AT mail DOT gmail DOT com> <1a840c2e-55ac-0ab4-66c4-a1f6a2c4f81a AT Shaw DOT ca> <CANSoFxtA0vnF1adx4rwyjuMasrVAOGb8hT_Uct-wSdcazj252w AT mail DOT gmail DOT com> <41f12842-ea43-ff63-a660-26ee3b497c63 AT SystematicSw DOT ab DOT ca> <CANSoFxtLzGgcOhrsu4h0eXXnpezB6v17cGwOrqy6SjSvJ__gLA AT mail DOT gmail DOT com> <1b570593-0ec7-0890-26ef-7e7468534f47 AT SystematicSw DOT ab DOT ca> <CANSoFxsq+5OfRH7RF3QdpMSJU-4JAKSCZM-rUUysP5Y3myR0+Q AT mail DOT gmail DOT com> <CAD8GWsu+P_d8RCiibkZ068oRAf8yeu=W5CLFO+ZNXGxjUcBOpw AT mail DOT gmail DOT com> <CANSoFxu7sNUqP3zSKHiFULBrvOkhPFRuc8MyAHojAGFNu-O_xQ AT mail DOT gmail DOT com>

Date: Tue, 12 Mar 2019 20:21:48 +0100

In-Reply-To: <CANSoFxu7sNUqP3zSKHiFULBrvOkhPFRuc8MyAHojAGFNu-O_xQ@mail.gmail.com> (Archie Cobbs's message of "Tue, 12 Mar 2019 08:47:36 -0500")

Message-ID: <87zhpz3nlf.fsf@Rainer.invalid>

User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux)

MIME-Version: 1.0

Archie Cobbs writes:
> Downloading the sig file over HTTP is useless... any attacker going to
> the trouble to launch a MITM attack for setup.exe will certainly also
> do it for the sig file as well.

No, the signature would be rejected if you cared to actually check the
key and signature (truly checking the key mandates a separate
information channel that hopefully is not under the control of the
attacker).  Now, if you are postulating an attacker that can sign with
the correct key, then there wouldn't be no need for a cleartext MitM
attack in the first place.

> OTOH, if you download the file over HTTPS..  then your client supports
> SSL. Which is exactly what I'm saying should be mandatory.

Well, everyone so far agreed with you that TLS is preferrable (although
it isn't nearly as foolproof as you seem to believe).  But you don't
seem to grasp that not everyone can use it every time and that the
fallback is actually better than the DoS that would result for folks
that are cut off from doing (proper) HTTPS.

Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

Wavetables for the Terratec KOMPLEXER:
http://Synth.Stromeko.net/Downloads.html#KomplexerWaves

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

X-Recipient:	archive-cygwin AT delorie DOT com
DomainKey-Signature:	a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:from:to:subject:references:date:in-reply-to
	:message-id:mime-version:content-type; q=dns; s=default; b=phR9v
	mFuVe6wHYicJGfE4VqRrwtV6VPbEEwQU8ESAC5LF6CPJ1sKkaT7/S1BSEnR51S4z
	MDO+1NKd7aAVDNHLSFpHhLAkfhNT7hSBB6bA0Lhd0Qku0eqoxlsxb1MZ8HU5gjpR
	gFoGu1sN2c9TJhgC2J2IT4oL6da/6vza2vkGfQ=
DKIM-Signature:	v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:from:to:subject:references:date:in-reply-to
	:message-id:mime-version:content-type; s=default; bh=Uf1ceSke1k/
	iaCKJiEkiWW5FLpk=; b=svHdcSg+h/LTjOKguQsw+9FXwQQvTMPghI54o/0gCNZ
	+s+mpgaa1PDQfDUCfjM7YADxohRj9gLXjiuCyNLkNgB43jMHisR/yXV48FDuX7m0
	eqa2Tx3DkPmZitTq4mfvQ7vj3EghXSk4kBk1a0Ms1gZqQhL6YbGL0dN3gNBBPcd8
	=
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
Authentication-Results:	sourceware.org; auth=none
X-Spam-SWARE-Status:	No, score=-2.4 required=5.0 tests=AWL,BAYES_00,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=ham version=3.3.1 spammy=channel, attack, HX-Languages-Length:1252, HX-Spam-Relays-External:ESMTPA
X-HELO:	vsmx009.vodafonemail.xion.oxcs.net
From:	Achim Gratz <Stromeko AT nexgo DOT de>
To:	cygwin AT cygwin DOT com
Subject:	Re: SSL not required for setup.exe download
References:	<CANSoFxtW0Jb1M5KfkFGGOxec_D8ysyYCrnk_PXWjHobLDXZauQ AT mail DOT gmail DOT com> <1a840c2e-55ac-0ab4-66c4-a1f6a2c4f81a AT Shaw DOT ca> <CANSoFxtA0vnF1adx4rwyjuMasrVAOGb8hT_Uct-wSdcazj252w AT mail DOT gmail DOT com> <41f12842-ea43-ff63-a660-26ee3b497c63 AT SystematicSw DOT ab DOT ca> <CANSoFxtLzGgcOhrsu4h0eXXnpezB6v17cGwOrqy6SjSvJ__gLA AT mail DOT gmail DOT com> <1b570593-0ec7-0890-26ef-7e7468534f47 AT SystematicSw DOT ab DOT ca> <CANSoFxsq+5OfRH7RF3QdpMSJU-4JAKSCZM-rUUysP5Y3myR0+Q AT mail DOT gmail DOT com> <CAD8GWsu+P_d8RCiibkZ068oRAf8yeu=W5CLFO+ZNXGxjUcBOpw AT mail DOT gmail DOT com> <CANSoFxu7sNUqP3zSKHiFULBrvOkhPFRuc8MyAHojAGFNu-O_xQ AT mail DOT gmail DOT com>
Date:	Tue, 12 Mar 2019 20:21:48 +0100
In-Reply-To:	<CANSoFxu7sNUqP3zSKHiFULBrvOkhPFRuc8MyAHojAGFNu-O_xQ@mail.gmail.com> (Archie Cobbs's message of "Tue, 12 Mar 2019 08:47:36 -0500")
Message-ID:	<87zhpz3nlf.fsf@Rainer.invalid>
User-Agent:	Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux)
MIME-Version:	1.0