DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:reply-to:subject:to:references:cc:from
	:message-id:date:mime-version:in-reply-to:content-type
	:content-transfer-encoding; q=dns; s=default; b=pwL/FgFR8T0by8Ma
	kMIzLzEUD+cPz3C3Q0wIMwt1Fb85XM8ozu5UvZXTBWb66Vl0vQ872FFItfkSyuTu
	B/YmCnfe6ymBmKGq75ntw5THCqal7BzemH3mMmOCoCewqSurbQtIGuwUdeuhlCLA
	hnbIWrTp6TYmamBZmbwQNBkHBMQ=
Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm
Sender: cygwin-owner@cygwin.com
Mail-Followup-To: cygwin@cygwin.com
Reply-To: Brian.Inglis@SystematicSw.ab.ca
Subject: Re: SSL not required for setup.exe download
To: cygwin@cygwin.com
References: <CANSoFxtW0Jb1M5KfkFGGOxec_D8ysyYCrnk_PXWjHobLDXZauQ@mail.gmail.com> <1a840c2e-55ac-0ab4-66c4-a1f6a2c4f81a@Shaw.ca> <CANSoFxtA0vnF1adx4rwyjuMasrVAOGb8hT_Uct-wSdcazj252w@mail.gmail.com> <41f12842-ea43-ff63-a660-26ee3b497c63@SystematicSw.ab.ca> <3132c0de-2689-a270-b996-d309017ca815@maxrnd.com>
Cc: sourcemaster@sourceware.org
From: Brian Inglis <Brian.Inglis@SystematicSw.ab.ca>
Openpgp: preference=signencrypt
Message-ID: <8d0f9c58-8304-7525-3b9e-0b8e92b1d697@SystematicSw.ab.ca>
Date: Mon, 11 Mar 2019 05:50:28 -0600
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.5.3
MIME-Version: 1.0
In-Reply-To: <3132c0de-2689-a270-b996-d309017ca815@maxrnd.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit

On 2019-03-10 23:16, Mark Geisert wrote:
> On 2019-03-10, Brian Inglis wrote:
>> On 2019-03-10 10:40, Archie Cobbs wrote:
>>> In any case, the problem I'm talking about is trivial to verify. Just
>>> start up Chrome or Firefox and enter http://www.cygwin.com. You can
>>> then confirm that (a) the page you are looking at has an http:// URL,
>>> and (b) the link to setup.exe also has an http:// URL. Therefore,
>>> there is no real security in this scenario.
>>
>> I only get to see https://www.cygwin.com/ YMMV
> 
> FWIW, I can reproduce the OP's STC using Chrome, Firefox, and Pale Moon.  Not
> sure why it happens for some folks but not others.  But since it does exist for
> some users, should it be dealt with?

It is possible that some of the clients on some of the systems accessing
sourceware projects may not be capable of supporting HTTPS, TLS, or HSTS, so a
permanent 301 redirection to HTTPS:443 may not be feasible.

If the sourcemaster at sourceware.org dealt with the issues below:

	https://hstspreload.org/?domain=sourceware.org

by changing the header from:

	Strict-Transport-Security: max-age=16070400

to:

	Strict-Transport-Security: max-age=16070400; includeSubDomains; preload

it could be automatic soon in most major browsers using the Chromium/Mozilla
preload list:

	https://github.com/chromium/hstspreload.org

but some of us are currently redirected while others are not.

I have probably been using HTTPS in browsers and scripts since it was supported
by sourceware.org and cygwin.com.
It looks like once browsers or clients have seen the HTTPS:443 STS header, or if
a site is on a preload list, they redirect to HTTPS:443; if you use wget, check
for ~/.wget-hsts which should contain {,www.}{cygwin.com,sourceware.org} if you
used wget to access those sites.

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple