X-Recipient: archive-cygwin@delorie.com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:from:subject:reply-to:to:references:message-id :date:mime-version:in-reply-to:content-type :content-transfer-encoding; q=dns; s=default; b=LqAt0jgCdJp8MxWF ANCTGKOiXfkJJJVuqXTIg7kbvUxGlwmohtB9vjlqi2d0vTKz1SKypF3/tC6CVsAT blfVdIY/D/b1sshNwI1eGMmRX+k/XuPUQKAEBtzL1fpCmDYbC+5Y2gs9Lw7soi0W GjwDoh/IUPqn98A4g1gs3g9umW4= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:from:subject:reply-to:to:references:message-id :date:mime-version:in-reply-to:content-type :content-transfer-encoding; s=default; bh=ItlFBYPyx7LBz+IUl0Fhsg BIF74=; b=aVq7DLFiW6g7tKlmPJV4/cOn1+pfTIPhrbKzzq+EZTji2HaOqrg2XI 0fUN9xbu8UtJO55nDwBXxyN6PsvtrBuJMapf1MEXZc9sRUzIB6/LfNdAKnalewhx WwXh8tFb8EvOlukpGJLSFZPQSWGpi8lhXxtS2Dx/KzVx+h4q0KA5E= Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Delivered-To: mailing list cygwin@cygwin.com Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-2.9 required=5.0 tests=AWL,BAYES_00,RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 spammy=browser, attack X-HELO: smtp-out-so.shaw.ca From: Brian Inglis Subject: Re: SSL not required for setup.exe download Reply-To: Brian.Inglis@SystematicSw.ab.ca To: cygwin@cygwin.com References: Openpgp: preference=signencrypt Message-ID: Date: Sun, 10 Mar 2019 08:16:47 -0600 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.5.3 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-IsSubscribed: yes On 2019-03-09 21:54, Archie Cobbs wrote: > The FAQ states: > The Cygwin website provides the setup program (setup-x86.exe or > setup-x86_64.exe) using HTTPS (SSL/TLS). > While this is true, it's not mandatory. > If one happens to go to HTTP://www.cygwin.com instead of > HTTPS://www.cygwin.com, then neither the page you are viewing (which > contains the setup.exe download link), nor the setup.exe download link > itself are secured via SSL. > So someone who just types "cygwin.com" into the browser location bar > and clicks on the setup.exe link is vulnerable to a MTM attack. > It would be safer if http://www.cygwin.com always redirected you to > https://www.cygwin.com, where the page and the link are SSL. > Is there any reason not to force this redirect and close this security hole? The whole sourceware.org site include cygwin.com uses HSTS which compliant supporting clients can use to switch to communicating over HTTPS. Clients which are not compliant or don't support HTTPS may still download the programs and files. -- Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada This email may be disturbing to some readers as it contains too much technical detail. Reader discretion is advised. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple