X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:content-type:content-transfer-encoding
	:mime-version:from:reply-to:to:subject:date:in-reply-to
	:message-id; q=dns; s=default; b=JX9/TRjeXnEIjVo054DbrI5usuVbmk5
	A0gBXpBA2DtbTMiQxi/WGtI9i6fPprX1ICM/jEIJ9xpC80DbUmjOX5nwl+AppLgB
	M3i/ve4sb6Bfjnse+KSwEXNgKreIXqU0qJAG9ODJHemRB8Dmg2AxphjmT+a1OIkS
	FkTLUYd5e+Dw=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:content-type:content-transfer-encoding
	:mime-version:from:reply-to:to:subject:date:in-reply-to
	:message-id; s=default; bh=Zu57HI14SyiY3X9tW279zP83Lsc=; b=BZ61u
	M75WKQA0quRMPKI+rNcmkPH3AbDTRPeRbh09n+1SnUWhzZMZYEVpw8+R51uerbEy
	/Wjm44NVZT2ChYMbG/Y9kWPJjnE7N0sVbcX829BOhRmzZqdD3Yh7eD1bNzrzqdxK
	obTp5S28KxxlySkT0LjtIvoFYU43wiR4hi5CDU=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-1.7 required=5.0 tests=AWL,BAYES_00,SPF_PASS,UNPARSEABLE_RELAY autolearn=ham version=3.3.2
X-HELO: aibo.runbox.com
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
MIME-Version: 1.0
From: "David A. Wheeler" <dwheeler AT dwheeler DOT com>
Reply-To: dwheeler AT dwheeler DOT com
To: "cygwin" <cygwin AT cygwin DOT com>
Subject: Re: Cygwin website uses http: (not https:) for .exe downloads, allowing man-in-the-middle attack
Date: Thu, 26 Feb 2015 18:23:59 -0500 (EST)
In-Reply-To: <20150226223737.GD11124@calimero.vinschen.de>
Message-Id: <E1YR7mh-00070M-5w@rmm6prod02.runbox.com>
X-IsSubscribed: yes
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by delorie.com id t1QNOGIf015567

On Thu, 26 Feb 2015 23:37:37 +0100, Corinna Vinschen <corinna-cygwin AT cygwin DOT com> wrote:
> On Feb 26 17:31, David A. Wheeler wrote:
> > The Cygwin front web page ( https://www.cygwin.com/ ) says:
> > "Install it by running setup-x86.exe (32-bit installation) or
> > setup-x86_64.exe (64-bit installation)."
> > 
> Did you notice that you're automatically redirected to https?

Yes, but the redirect looks like it's vulnerable to a man-in-the-middle attack.
The front page http: hyperlink *disables* https on the request, because it explicitly asks for http: instead.
If the browser sees an "http" link, it typically uses http to send the request (unless HSTS is used).
In that case, a man-in-the-middle attacker can just intercept the http request and reply with
a malicious executable.  When that happens cygwin.org never gets a chance to redirect anything.
It's possible it's okay (I haven't done a packet capture on it), but it looks really suspicious.

Links to executables should explicitly say "https://".  It's a trivial change to the webpage, too.


> > You might also want to enable "HTTP Strict Transport Security" (HSTS)
> > on the Cygwin website.

Corinna Vinschen:
> That's not for us to say.  We're user of the site, not admins.

You can always ask the admins.  Anyway, my key point is to make it possible
to *start* and *stay* on https: when downloading the .exe file (to prevent tampering).

--- David A. Wheeler


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple