X-Recipient: archive-cygwin@delorie.com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:subject:to:references:from:message-id:date
	:mime-version:in-reply-to:content-type
	:content-transfer-encoding; q=dns; s=default; b=TbIiBIgWzoYVtRbf
	h/qdQkmsKxgN8hxSEBVM4Gv20qBx49mUrTpJgQGi6GqN2LAQTTEcMuuAzwkJipm1
	kPK70ySNVKUpwnZheGzZybMPbU6ipJf2Vcg7GKs30zLz8KVELUMTU5TlbIJJThpj
	NWV9J+rUQ+r/4U1nznhl9l8R3rQ=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:subject:to:references:from:message-id:date
	:mime-version:in-reply-to:content-type
	:content-transfer-encoding; s=default; bh=jI3kQlqaTPmTqDJ9UCrMFJ
	hkZcI=; b=xlrQyzPoD6MYS10Vj+HRLJr65hJlcrbJAy7GGkq5QZgX+SECsRtPpu
	bVFFZd/3VvvhzEj7F7s4s+/LDYZFCCTTjrsYrZ57ZcUPRQZuIs0X7RWI+8Spl93p
	dYXekh2CBr5ZwwIuEe1ONR4PZ9hoaxtn2/QLdEI+SBpihFARGdzRc=
Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe@cygwin.com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin@cygwin.com>
List-Help: <mailto:cygwin-help@cygwin.com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner@cygwin.com
Mail-Followup-To: cygwin@cygwin.com
Delivered-To: mailing list cygwin@cygwin.com
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=-1.9 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.3.1 spammy=pale, H*UA:6.1, H*u:6.1, enter
X-HELO: m0.truegem.net
Subject: Re: SSL not required for setup.exe download
To: cygwin@cygwin.com
References: <CANSoFxtW0Jb1M5KfkFGGOxec_D8ysyYCrnk_PXWjHobLDXZauQ@mail.gmail.com> <1a840c2e-55ac-0ab4-66c4-a1f6a2c4f81a@Shaw.ca> <CANSoFxtA0vnF1adx4rwyjuMasrVAOGb8hT_Uct-wSdcazj252w@mail.gmail.com> <41f12842-ea43-ff63-a660-26ee3b497c63@SystematicSw.ab.ca>
From: Mark Geisert <mark@maxrnd.com>
Message-ID: <3132c0de-2689-a270-b996-d309017ca815@maxrnd.com>
Date: Sun, 10 Mar 2019 22:16:07 -0700
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0 SeaMonkey/2.46
MIME-Version: 1.0
In-Reply-To: <41f12842-ea43-ff63-a660-26ee3b497c63@SystematicSw.ab.ca>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

Brian Inglis wrote:
> On 2019-03-10 10:40, Archie Cobbs wrote:
[...]
>> In any case, the problem I'm talking about is trivial to verify. Just
>> start up Chrome or Firefox and enter http://www.cygwin.com. You can
>> then confirm that (a) the page you are looking at has an http:// URL,
>> and (b) the link to setup.exe also has an http:// URL. Therefore,
>> there is no real security in this scenario.
>
> I only get to see https://www.cygwin.com/ YMMV

FWIW, I can reproduce the OP's STC using Chrome, Firefox, and Pale Moon.  Not 
sure why it happens for some folks but not others.  But since it does exist for 
some users, should it be dealt with?

..mark


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple