X-Recipient: archive-cygwin@delorie.com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:content-type:mime-version:subject:from :in-reply-to:date:content-transfer-encoding:message-id :references:to; q=dns; s=default; b=wInJicGJtALwiJ9UuzEAyE8Wu49C bFg9LfaH85L8sJKGtehxjOLjlyDEd/ICaH22xoOHV4nO2BTMtS+qUvIelBWysdI4 6n6HgKzB10T3PPdHdDSGa911oVB4uHEEnMG8Fr1SvjKb5jX/Cuia3IgKqIzFnWYd bMtw1sRe3u4hW9M= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:content-type:mime-version:subject:from :in-reply-to:date:content-transfer-encoding:message-id :references:to; s=default; bh=EfADKCCO46p4yQiXrnba5TI+p5A=; b=dc rR0oQfW47nerL0xHkATe5DICvSpvMLnG3hLakFbtQr50bSph0nG93Wv2HMotaeIK bZtVUCvETsRFlqnh7Cdr0rDgofLCDuSibUeFukCecJLz0fF4q6Vt/MC2aTJbzWvO DE9qo40VFHDugcc2Nhg1NhLRXJF0SeQJZ3Uk4KR0g= Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Delivered-To: mailing list cygwin@cygwin.com Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-0.5 required=5.0 tests=AWL,BAYES_05,T_RP_MATCHES_RCVD autolearn=ham version=3.3.2 X-HELO: etr-usa.com Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\)) Subject: Re: Cygwin website uses http: (not https:) for .exe downloads, allowing man-in-the-middle attack From: Warren Young In-Reply-To: Date: Thu, 26 Feb 2015 17:39:55 -0700 Message-Id: <0A816C51-DFB8-4A0B-872B-DB1A139F4C08@etr-usa.com> References: To: The Cygwin Mailing List X-IsSubscribed: yes Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by delorie.com id t1R0eDOq021664 On Feb 26, 2015, at 3:39 PM, Darik Horn wrote: > > Note that GPG signatures are published for the Cygwin setup binaries: If someone can MITM the *.exe files, they can MITM the GPG sigs, too. You could try and be diligent and check that the signature was made with a GPG key you trust, but I’ll bet most people who have checked this just test whether the signature is valid. At its worst, GPG’s web of trust behaves like today’s overly-trusting web browsers, which may have hundreds of CAs you’ve never heard of. Just because your browser vendor trusts the CA doesn’t mean you should, too. Getting a GPG public key via an untrusted path is exactly like that. GPG sigs are better for authenticity detection than MD5/SHA hashes, but only by as much as the trustworthiness of the path you got the GPG public key via. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple