X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:content-type:mime-version:subject:from
	:in-reply-to:date:content-transfer-encoding:message-id
	:references:to; q=dns; s=default; b=wInJicGJtALwiJ9UuzEAyE8Wu49C
	bFg9LfaH85L8sJKGtehxjOLjlyDEd/ICaH22xoOHV4nO2BTMtS+qUvIelBWysdI4
	6n6HgKzB10T3PPdHdDSGa911oVB4uHEEnMG8Fr1SvjKb5jX/Cuia3IgKqIzFnWYd
	bMtw1sRe3u4hW9M=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:content-type:mime-version:subject:from
	:in-reply-to:date:content-transfer-encoding:message-id
	:references:to; s=default; bh=EfADKCCO46p4yQiXrnba5TI+p5A=; b=dc
	rR0oQfW47nerL0xHkATe5DICvSpvMLnG3hLakFbtQr50bSph0nG93Wv2HMotaeIK
	bZtVUCvETsRFlqnh7Cdr0rDgofLCDuSibUeFukCecJLz0fF4q6Vt/MC2aTJbzWvO
	DE9qo40VFHDugcc2Nhg1NhLRXJF0SeQJZ3Uk4KR0g=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-0.5 required=5.0 tests=AWL,BAYES_05,T_RP_MATCHES_RCVD autolearn=ham version=3.3.2
X-HELO: etr-usa.com
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
Subject: Re: Cygwin website uses http: (not https:) for .exe downloads, allowing man-in-the-middle attack
From: Warren Young <wyml AT etr-usa DOT com>
In-Reply-To: <CAPbcu1PA=VSL+EFj2uN0eTknNCVWVb8y62BcgotyAhbFqa1G7A@mail.gmail.com>
Date: Thu, 26 Feb 2015 17:39:55 -0700
Message-Id: <0A816C51-DFB8-4A0B-872B-DB1A139F4C08@etr-usa.com>
References: <E1YR6y2-0008G9-Gr AT rmm6prod02 DOT runbox DOT com> <CAPbcu1PA=VSL+EFj2uN0eTknNCVWVb8y62BcgotyAhbFqa1G7A AT mail DOT gmail DOT com>
To: The Cygwin Mailing List <cygwin AT cygwin DOT com>
X-IsSubscribed: yes
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by delorie.com id t1R0eDOq021664

On Feb 26, 2015, at 3:39 PM, Darik Horn <dajhorn AT vanadac DOT com> wrote:
> 
> Note that GPG signatures are published for the Cygwin setup binaries:

If someone can MITM the *.exe files, they can MITM the GPG sigs, too.

You could try and be diligent and check that the signature was made with a GPG key you trust, but I’ll bet most people who have checked this just test whether the signature is valid.

At its worst, GPG’s web of trust behaves like today’s overly-trusting web browsers, which may have hundreds of CAs you’ve never heard of.  Just because your browser vendor trusts the CA doesn’t mean you should, too.  Getting a GPG public key via an untrusted path is exactly like that.

GPG sigs are better for authenticity detection than MD5/SHA hashes, but only by as much as the trustworthiness of the path you got the GPG public key via.
--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple