Mail Archives: cygwin/2019/03/12/15:46:03

delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2019/03/12/15:46:03

X-Recipient: archive-cygwin AT delorie DOT com

DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:mime-version:in-reply-to:references:from:date

:message-id:subject:to:content-type; q=dns; s=default; b=pAUoZOO

OHnwXlBhqE3C7c2OkzA3D8ssP6JKWl8IR0CUvl80KssLfJYFENaFkOFMzxD6J+Am

TdpJm8PoiVr4PdDhTQcjHOJm8ZhKK17SqPjdFx1bfs/m7GA8nvRZma78XDitrLGn

em/yKhcOycLEJJcGYtSTh2juCTHYKb87daP0=

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:mime-version:in-reply-to:references:from:date

:message-id:subject:to:content-type; s=default; bh=JVqb1oGkk3RUg

nQJz8aAPVISzAk=; b=RhdaQMFIVBR7B59TjDdK59+z1vAbz2Nbb1oBL1MmIwrvI

BUYhG4eFZ734PVnWQeAB+ANdkbpzi79pa5stIApvDftbreVEsC/z5tZkPp1xX3sj

QXedfJa/XLF/k5ikt2bQJwgEt0JiPcjQpM1eF43WT3H3IPEsidB5jRIQ4O/eYg=

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm

List-Id: <cygwin.cygwin.com>

List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>

List-Archive: <http://sourceware.org/ml/cygwin/>

List-Post: <mailto:cygwin AT cygwin DOT com>

List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>

Sender: cygwin-owner AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

Delivered-To: mailing list cygwin AT cygwin DOT com

Authentication-Results: sourceware.org; auth=none

X-Spam-SWARE-Status: No, score=-0.6 required=5.0 tests=AWL,BAYES_00,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=no version=3.3.1 spammy=occasion, Greetings, H*r:a0c, attack

X-HELO: mail-qt1-f171.google.com

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=7IMmD1nuE4/zh46bt7HKY7iSY5gJHJpMz4IHtyv8eAY=; b=jKpBXmGgCbqKk8c3ztHarTgWudZa5s1jibA1XsjxyrsiKfLA7cztIi3aVXGWCO59zc pZ9PEH2ycu2/bKY3sNxtzJA831iNn/L4JrVGpoLLIHPhfrLiv0a0craEfiK8eb2/GcEf AVuLzmqLH3nMClSUsd+MMnneysKklXpL+byvD9QzftvztA3Kjl+TQaTTicDH8Xc942Rh L47m8TYS/1ocNjLMcWecQ5zxjSifo35kUCBJdBB302QD641JvHrv90QXLK0uLFIx4mgj eEqaRKhUE7VWmddRoXe88qq0He9CybRm6I0BdMFnj0ahyMMivqdHgH4A52VhAzR2nlSK Jpsg==

MIME-Version: 1.0

In-Reply-To: <1406950005.20190312031618@yandex.ru>

References: <CANSoFxtW0Jb1M5KfkFGGOxec_D8ysyYCrnk_PXWjHobLDXZauQ AT mail DOT gmail DOT com> <1a840c2e-55ac-0ab4-66c4-a1f6a2c4f81a AT Shaw DOT ca> <CANSoFxtA0vnF1adx4rwyjuMasrVAOGb8hT_Uct-wSdcazj252w AT mail DOT gmail DOT com> <41f12842-ea43-ff63-a660-26ee3b497c63 AT SystematicSw DOT ab DOT ca> <CANSoFxtLzGgcOhrsu4h0eXXnpezB6v17cGwOrqy6SjSvJ__gLA AT mail DOT gmail DOT com> <1b570593-0ec7-0890-26ef-7e7468534f47 AT SystematicSw DOT ab DOT ca> <CANSoFxsq+5OfRH7RF3QdpMSJU-4JAKSCZM-rUUysP5Y3myR0+Q AT mail DOT gmail DOT com> <1406950005 DOT 20190312031618 AT yandex DOT ru>

From: Lee <ler762 AT gmail DOT com>

Date: Tue, 12 Mar 2019 15:45:47 -0400

Message-ID: <CAD8GWsv=R+G5P9_fNvMvC1+txqPELr=5s3R38jiPyCUj0AcTFg@mail.gmail.com>

Subject: Re: SSL not required for setup.exe download

To: cygwin AT cygwin DOT com

X-IsSubscribed: yes

On 3/11/19, Andrey Repin  wrote:
> Greetings, Archie Cobbs!
>
>> I must say I'm surprised so many people think it's a good idea to
>> leave cygwin open to trivial MITM attacks, which is the current state
>> of affairs.
>
>> This is my opinion only of course, but if cygwin wants to have any
>> security credibility, it should simply disallow non-SSL downloads of
>> setup.exe. Otherwise the chain of authenticity is broken forever.
>
> All the SSL stuff is build on idea of implicit unlimited trust.

I agree, the whole certificate authority bit seems to .. over-promise.
On the other hand, it does also seems to "raise the bar" making it
much more difficult to snoop or alter data in transit.

> Which is way worse in my opinion, than any theoretical MITM attack, which
> is easily mitigated with proper validation of your downloads.

Serious question - exactly how does one do "proper validation of your
downloads"?

For example, I don't have the current version of 7-zip
  https://www.7-zip.org/
has a download link, but I don't see anything for a .sig, checksum or anything.
  https://sourceforge.net/projects/sevenzip/files/7-Zip/19.00/
isn't any better.
It seems to me that the best I can do is make sure I do the download
via an https:// link

> It gives you false sense of security. What is worse, everybody is
> attempting
> to reassure this false sense on every possible occasion.

I don't think it's a false sense of security.  https:// isn't "safe"
but it is _safer_ than http://

Regards,
Lee

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

X-Recipient:	archive-cygwin AT delorie DOT com
DomainKey-Signature:	a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:in-reply-to:references:from:date
	:message-id:subject:to:content-type; q=dns; s=default; b=pAUoZOO
	OHnwXlBhqE3C7c2OkzA3D8ssP6JKWl8IR0CUvl80KssLfJYFENaFkOFMzxD6J+Am
	TdpJm8PoiVr4PdDhTQcjHOJm8ZhKK17SqPjdFx1bfs/m7GA8nvRZma78XDitrLGn
	em/yKhcOycLEJJcGYtSTh2juCTHYKb87daP0=
DKIM-Signature:	v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:in-reply-to:references:from:date
	:message-id:subject:to:content-type; s=default; bh=JVqb1oGkk3RUg
	nQJz8aAPVISzAk=; b=RhdaQMFIVBR7B59TjDdK59+z1vAbz2Nbb1oBL1MmIwrvI
	BUYhG4eFZ734PVnWQeAB+ANdkbpzi79pa5stIApvDftbreVEsC/z5tZkPp1xX3sj
	QXedfJa/XLF/k5ikt2bQJwgEt0JiPcjQpM1eF43WT3H3IPEsidB5jRIQ4O/eYg=
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
Authentication-Results:	sourceware.org; auth=none
X-Spam-SWARE-Status:	No, score=-0.6 required=5.0 tests=AWL,BAYES_00,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=no version=3.3.1 spammy=occasion, Greetings, H*r:a0c, attack
X-HELO:	mail-qt1-f171.google.com
DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=7IMmD1nuE4/zh46bt7HKY7iSY5gJHJpMz4IHtyv8eAY=; b=jKpBXmGgCbqKk8c3ztHarTgWudZa5s1jibA1XsjxyrsiKfLA7cztIi3aVXGWCO59zc pZ9PEH2ycu2/bKY3sNxtzJA831iNn/L4JrVGpoLLIHPhfrLiv0a0craEfiK8eb2/GcEf AVuLzmqLH3nMClSUsd+MMnneysKklXpL+byvD9QzftvztA3Kjl+TQaTTicDH8Xc942Rh L47m8TYS/1ocNjLMcWecQ5zxjSifo35kUCBJdBB302QD641JvHrv90QXLK0uLFIx4mgj eEqaRKhUE7VWmddRoXe88qq0He9CybRm6I0BdMFnj0ahyMMivqdHgH4A52VhAzR2nlSK Jpsg==
MIME-Version:	1.0
In-Reply-To:	<1406950005.20190312031618@yandex.ru>
References:	<CANSoFxtW0Jb1M5KfkFGGOxec_D8ysyYCrnk_PXWjHobLDXZauQ AT mail DOT gmail DOT com> <1a840c2e-55ac-0ab4-66c4-a1f6a2c4f81a AT Shaw DOT ca> <CANSoFxtA0vnF1adx4rwyjuMasrVAOGb8hT_Uct-wSdcazj252w AT mail DOT gmail DOT com> <41f12842-ea43-ff63-a660-26ee3b497c63 AT SystematicSw DOT ab DOT ca> <CANSoFxtLzGgcOhrsu4h0eXXnpezB6v17cGwOrqy6SjSvJ__gLA AT mail DOT gmail DOT com> <1b570593-0ec7-0890-26ef-7e7468534f47 AT SystematicSw DOT ab DOT ca> <CANSoFxsq+5OfRH7RF3QdpMSJU-4JAKSCZM-rUUysP5Y3myR0+Q AT mail DOT gmail DOT com> <1406950005 DOT 20190312031618 AT yandex DOT ru>
From:	Lee <ler762 AT gmail DOT com>
Date:	Tue, 12 Mar 2019 15:45:47 -0400
Message-ID:	<CAD8GWsv=R+G5P9_fNvMvC1+txqPELr=5s3R38jiPyCUj0AcTFg@mail.gmail.com>
Subject:	Re: SSL not required for setup.exe download
To:	cygwin AT cygwin DOT com
X-IsSubscribed:	yes