X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:to:subject:message-id:reply-to :references:mime-version:content-type:in-reply-to; q=dns; s= default; b=qMIYCMMnYASZ3QxdC0r6TrBGyxsi/1bFndl1HvdLaaz8BjERS+KIF Pb/Rcyth3sP66DYP5ctsy7aXTNcbqDHkoSelmRhy96S32cN4OaHB7o2/PPJ2ERv+ Wwnz4jpotT+7zrYGBepHq03T7tkydrWzOxvwMNX3dYjep1UrnfGTfA= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:to:subject:message-id:reply-to :references:mime-version:content-type:in-reply-to; s=default; bh=PtKP31ICML/1C+sqJ+aLFLAutY0=; b=hiL1gMUrgbNKtq74shCGQxM5LJP6 RtFH+ERPaFijvs4dC3A/2nlMhK7kd7Vt5CipLqsAkTGJV7YdgICDMJe5ErgJ/Hjq oY49JXgM5dpfJ/tvSyAjoWdvAIMVnQkYOGiB3zp+RivJGEPbaA2K0lakgRM8ptOX nroVB3kT9vechDw= Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-5.9 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.3.2 X-HELO: calimero.vinschen.de Date: Thu, 26 Feb 2015 23:37:37 +0100 From: Corinna Vinschen To: cygwin AT cygwin DOT com Subject: Re: Cygwin website uses http: (not https:) for .exe downloads, allowing man-in-the-middle attack Message-ID: <20150226223737.GD11124@calimero.vinschen.de> Reply-To: cygwin AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="UoPmpPX/dBe4BELn" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) --UoPmpPX/dBe4BELn Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Feb 26 17:31, David A. Wheeler wrote: > The Cygwin front web page ( https://www.cygwin.com/ ) says: > "Install it by running setup-x86.exe (32-bit installation) or > setup-x86_64.exe (64-bit installation)." >=20 > However, both of the links to those .exe executables explicitly use > "http://", and not "https://", even when you go to the https version > of the Cygwin website. This use of http: enables a man-in-the-middle > attack on anyone trying to download the Cygwin installer. In > particular, a man-in-the-middle could maliciously modify the .exe, and > there are many programs that can automatically insert malicious code > into a Windows .exe file. Did you notice that you're automatically redirected to https? > Please fix those links to use "https:", and not "http:". >=20 > You might also want to enable "HTTP Strict Transport Security" (HSTS) > on the Cygwin website. That's not for us to say. We're user of the site, not admins. Corinna --=20 Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat --UoPmpPX/dBe4BELn Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBAgAGBQJU76AxAAoJEPU2Bp2uRE+g5ZkQAJBrriK+QFOSXWm2TQ50A+lN +z1oatehq1kurMywzNaA3oFp2mWBXv5tG+dvWDWU9rIgI8AxUSa0d5M+6Fn8drsf MSBjWkgTb1LA2euacGRHol3iFYI6JWYkUUjQZ4dcWoTMR/qcJUZFw3qBZgCFu3Qg +Q/txUtyXhIVSYOEZGUaYvfJRfHCPfqDUtKG+coCjCqd38DZtNE6CVoPhjOjauDX Qz5Zio/M58ohve0aBi1cJwfBI+auWHlmxTxzDyRVPDscvHYVhd3Klh7ziuHsbuTD AGWtfWFLFjEjcKYnEncuAzfvqwitmQ2YtbLUnEIDrXILXM49IcOA7eSASLq5GYsS BfyNzev8KZJPZ4isaKTCSu1rKi0uiswFHgI+s05OCxS5Ni7Mv7K0GFmIPIrvccQy JWtKNkpEpQRqaQ0dBNo0pbyio+bjd2JDUHEhQPC3l4dQw0pPCSgUeL64ylMnDJNO pUh8P2dm402xPZJn6M7eZ0iGUqt0hl/KJRyatVwPSor8Q1Yhco+yo+PUMoJNGFXC HpsG2fdNIYu1hFFeY9Ft9qVgjwvP037xfBBrdVFSgzQkRIe3WdQRt1/zYUI2WquA zd3mKz3mU1+ma/B0n5BaQTaEpP/jun/V4XivBMV0QlBu5nNg7E9V3ghF2llfwgJj 4Cygzvl3plAaUCZeij0Y =xVE/ -----END PGP SIGNATURE----- --UoPmpPX/dBe4BELn--