X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:content-type:content-transfer-encoding :mime-version:from:reply-to:to:subject:date:message-id; q=dns; s=default; b=ViYiS03iBbKHwYhe509Ess4gY4OjcXhbB/oX13PpfEc3euzL5m oWYSYGk2Fofut7krZRZswb0mIPGlQBhnsghPKv+cNk4YMJRSmnaQ3BViwesw/Qdf xFa/mxkKHEJ6iItAJjjgkilr9LadLp/SQwDZPVQEBZ1xm5t41SngH8NLw= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:content-type:content-transfer-encoding :mime-version:from:reply-to:to:subject:date:message-id; s= default; bh=3D/7j8OnymJOdN4GcNWPjln7pHk=; b=Im80yBERjE6Sx5FaI1H+ GXAemeR/mtO9J0cwmRmhYfpV2hz7pbwiqJa9YC5sc9nnvNjaXTxNK61IUFhwrsW1 q+ywkvdzskpC4mmU/FQJcfzSHaoO/jcuwPO9WKb8PQdn9c8w9pF0vcFqUnDaBmbi INtD5xUtYLMV096ZOWmIEXg= Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-0.4 required=5.0 tests=AWL,BAYES_50,SPF_PASS,UNPARSEABLE_RELAY autolearn=ham version=3.3.2 X-HELO: aibo.runbox.com Content-Type: text/plain; charset="utf-8" Content-Disposition: inline MIME-Version: 1.0 From: "David A. Wheeler" Reply-To: dwheeler AT dwheeler DOT com To: "cygwin" Subject: Cygwin website uses http: (not https:) for .exe downloads, allowing man-in-the-middle attack Date: Thu, 26 Feb 2015 17:31:38 -0500 (EST) Message-Id: X-IsSubscribed: yes Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by delorie.com id t1QMVssm011120 The Cygwin front web page ( https://www.cygwin.com/ ) says: "Install it by running setup-x86.exe (32-bit installation) or setup-x86_64.exe (64-bit installation)." However, both of the links to those .exe executables explicitly use "http://", and not "https://", even when you go to the https version of the Cygwin website. This use of http: enables a man-in-the-middle attack on anyone trying to download the Cygwin installer. In particular, a man-in-the-middle could maliciously modify the .exe, and there are many programs that can automatically insert malicious code into a Windows .exe file. Please fix those links to use "https:", and not "http:". You might also want to enable "HTTP Strict Transport Security" (HSTS) on the Cygwin website. --- David A. Wheeler -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple