X-Recipient: archive-cygwin@delorie.com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:reply-to:message-id:to:subject :in-reply-to:references:mime-version:content-type :content-transfer-encoding; q=dns; s=default; b=J63SsoXjeRvXM2mf /G0VwMOuFUNCDiE77rQqdhT6Prf0hiBirVApgWiM3Wq3Csi/gzncEwpsouFHu1wU X44BZtXr0i1RIZ27LiNVicFcs0MEV4IyazN50wPYL7m8gvGw0MN/wCUy7ZAxA0Rk XJk8cYqLumuP+frmTX8yGZXFEJU= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:reply-to:message-id:to:subject :in-reply-to:references:mime-version:content-type :content-transfer-encoding; s=default; bh=DxNcB9QVE2AXxZf4N/y8rX UqQlM=; b=c9fn2CMac2fcNfJ0rmHG8N7KbJ89tPNHtuSzb4SHugH+kyg81q+Qrb job/BdXQUnB13O98cRJ/R4aYi++0N/U28cg9rQFRhST9Eh6qnKq+V9k2SLmzkXGc 4KiDofTFoRt4j5z5d2aTlEflJ9t/n0fbvtCVw1jES92+w3KxzK+SI= Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Delivered-To: mailing list cygwin@cygwin.com Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=1.2 required=5.0 tests=BAYES_20,FREEMAIL_FROM,KAM_THEBAT,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=no version=3.3.1 spammy=HX-Priority:Normal, UD:ru, english, Sunday X-HELO: forward103j.mail.yandex.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1552224909; bh=2tRsrupa3NmTcYfUQVHd4ILe5CBrkmGASqbtenbbYwo=; h=In-Reply-To:Subject:To:Reply-To:From:Message-ID:References:Date; b=vx0ztPBim2Pdkhq8il82GIVvDH59fRldAbZNLKK0KdunezbhBOiWZ6Yb0cI81T05f OxKc7aEdj17RQoeA2zl0zZ3zYaUUIIjiWXM0tGE/njKsD5PbxhZTDQ8mxzpe4NfDl1 Eu6kWxHdxRhzr7xmPI6Qr8W0oVpPQrAhYFByJG2M= Authentication-Results: mxback13g.mail.yandex.net; dkim=pass header.i=@yandex.ru Date: Sun, 10 Mar 2019 16:29:57 +0300 From: Andrey Repin Reply-To: cygwin@cygwin.com Message-ID: <924339539.20190310162957@yandex.ru> To: Archie Cobbs , cygwin@cygwin.com Subject: Re: SSL not required for setup.exe download In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-IsSubscribed: yes Greetings, Archie Cobbs! > The FAQ states: > The Cygwin website provides the setup program (setup-x86.exe or > setup-x86_64.exe) using HTTPS (SSL/TLS). > While this is true, it's not mandatory. > If one happens to go to HTTP://www.cygwin.com instead of > HTTPS://www.cygwin.com, then neither the page you are viewing (which > contains the setup.exe download link), nor the setup.exe download link > itself are secured via SSL. > So someone who just types "cygwin.com" into the browser location bar > and clicks on the setup.exe link is vulnerable to a MTM attack. > It would be safer if http://www.cygwin.com always redirected you to > https://www.cygwin.com, where the page and the link are SSL. > Is there any reason not to force this redirect and close this security hole? If you care that much, you would use https. If not, then I see no reason to bend to hysteric crowd. -- With best regards, Andrey Repin Sunday, March 10, 2019 16:29:01 Sorry for my terrible english... -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple