X-Recipient: archive-cygwin@delorie.com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:mime-version:references:in-reply-to:from:date :message-id:subject:to:content-type; q=dns; s=default; b=pD+jcNo NvNbO8oJaKT1tvhtT8+z78PVksVjOPrrMHX3tAEOmEHLihFCo7/+C+yH/hgMLJKO K3YTi5kWoPqZ6BCPpQVXSoC9zHFS2UNR+J3ygkpP+SVRR/6acXfalWH8javVSX2w UzbtiYN+c7Q1zDRmzunE+piznsam1l7PeJO0= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:mime-version:references:in-reply-to:from:date :message-id:subject:to:content-type; s=default; bh=eoV2vl0i4JTfs VVqVeaXiEQ1E+w=; b=rUXQ117cT+3GxJpv83XImFbTj4g3+gzcbQ2YXPfFUlMfJ nVPD27bqZ/P0PKJKii9Ug5xufQLyBtQjlVHA060yo1GNilgP5DHNT/qzr55IwZG6 N5sKtItv0CevFToiiVCtpqIBxx4N9nPcceXbQ0UnVYPbyDdW68iY2PYk4GFhxw= Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Delivered-To: mailing list cygwin@cygwin.com Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-1.5 required=5.0 tests=AWL,BAYES_00,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.1 spammy=clearing, site X-HELO: mail-ua1-f46.google.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=lZmADirGwWfQ0RxtEHm71ymwyLKnikxMD7pKg/NgVys=; b=eB+pCj/EIU9+6Oi0zeaQQfuof1ptjY7BgKk/udoyC8taWKkLQKdVhbVpo7iFJHSKn4 pNhDUO1e4KGmFJfn5yufoCH8kIVwP1liz68YFKSxc1HxbcBMNISiE7+MuikDCr2k97CM 1uJ+EdDSZW2Jdpj4D76dwzYydW9juXMcuJTpmpL+gMYS31uqSsqtqoPbbjezakjSuiQ3 AVve2KGdTJe8SpiBmc7Q5NsMIAiTmTXDo7Q7lATAzrW1AzyD7QTVAb5sX/t+8NmPkJdg gZz/K7pCt6WIxHxeg9kYRFe9Ygp/f8wa5rKVsb+0Hm8ovSRGzMVdyHprTUnPzGOFEMuL 5gRQ== MIME-Version: 1.0 References: <1a840c2e-55ac-0ab4-66c4-a1f6a2c4f81a@Shaw.ca> <41f12842-ea43-ff63-a660-26ee3b497c63@SystematicSw.ab.ca> In-Reply-To: <41f12842-ea43-ff63-a660-26ee3b497c63@SystematicSw.ab.ca> From: Archie Cobbs Date: Mon, 11 Mar 2019 08:43:57 -0500 Message-ID: Subject: Re: SSL not required for setup.exe download To: Brian.Inglis@systematicsw.ab.ca, cygwin@cygwin.com Content-Type: text/plain; charset="UTF-8" X-IsSubscribed: yes On Sun, Mar 10, 2019 at 10:51 PM Brian Inglis wrote: > >>> Is there any reason not to force this redirect and close this security hole? > > There are apparently reasons not to force this redirect as it can also cause a > security hole. That's really interesting. Can you provide more detail? > >> The whole sourceware.org site include cygwin.com uses HSTS which compliant > >> supporting clients can use to switch to communicating over HTTPS. > >> Clients which are not compliant or don't support HTTPS may still download the > >> programs and files. > > > > I don't see how HSTS solves the particular issue that I'm referring to. > > HSTS redirects requests from port 80 to 443 (HTTPS). Not for me. Well, actually I'm getting inconsistent results... On Mac OS X, neither Firefox, Chrome nor Safari will redirect to SSL. On an old Windows 7 system, neither IE 8 (no surprise there) or Chrome redirects. However, with Chrome, it does not redirect at first, but once I've manually entered https://www.cygwin.com it seems to "realize" that a secure site exists, and after that it starts redirecting to SSL. I can revert that behavior by clearing the cache. So it seems in the case of Chrome, it has to be "taught" about the existence of the secure site... which of course takes us right back to the original problem. -AC -- Archie L. Cobbs -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple