X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:content-type:content-transfer-encoding :mime-version:from:reply-to:to:subject:date:message-id; q=dns; s=default; b=heyTK0lKPGhEk+PjGiirxBc6+VaEdEfg9l0H5Oa3gFadW9NFWE lsf0m3jPo2/7MSKW+A3dMwdjepKgpwy+dytN/cms6kStg1kes5yfAzW0qUDb3VbT vFr/IV2palIn2DNlDFuzpeDfx3uiPFIFzEz7r6e8+Ty4AM1LdpSdCm09U= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:content-type:content-transfer-encoding :mime-version:from:reply-to:to:subject:date:message-id; s= default; bh=+P3ZG3Y+x8WJH2/q9LPwx7trUfk=; b=XtCWGzb0aDfg6mJLA21p 6f3tJ86Gx+HUI0F3+O27PLecMfp05omDFm+TDOJOCBftqX3WqxAPAW6CocLvVMdn SQI0egh0+EKSPK1eVwYKu65ggkD1BUi4KBfFPgZ8nBm+77Bm8DCJvJpWy3u9ElRk OQM5kqe6cbthPWI99zZK2wg= Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-1.6 required=5.0 tests=AWL,BAYES_00,SPF_PASS,UNPARSEABLE_RELAY autolearn=ham version=3.3.2 X-HELO: aibo.runbox.com Content-Type: text/plain; charset="utf-8" Content-Disposition: inline MIME-Version: 1.0 From: "David A. Wheeler" Reply-To: dwheeler AT dwheeler DOT com To: "cygwin" Subject: How Cygwin counters man-in-the-middle (MITM) attacks Date: Sun, 08 Mar 2015 15:25:56 -0400 (EDT) Message-Id: X-IsSubscribed: yes Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by delorie.com id t28JQH9f008149 I'm trying to convince myself that the changes being made to Cygwin will counter man-in-the-middle (MITM) attacks during installation or update. Can someone tell me if the details below are correct? I think something like this should be a new FAQ entry, e.g., "How does Cygwin counter man-in-the-middle (MITM) attacks during installation and update?" Thanks. --- David A. Wheeler === DETAILS === Here is how I think Cygwin will counter man-in-the-middle (MITM) attacks during installation and update (once the switch to SHA-512 is complete): 1. The Cygwin server is correctly configured to support https (TLS). I checked Cygwin.com's SSL/TLS implementation using Qualsys ( https://www.ssllabs.com/ssltest/ ). Cygwin.com got an overall rating of "B" (capped because it permits the RC4 cipher). That's reasonable evidence that it is correctly configured. The cygwin.com site now supports HTTP Strict Transport Security (HSTS) according to Qualsys. I believe that is new (and welcome news), because HSTS counters many MITM attacks. 2. The setup program is downloaded by the user using https. The user downloads setup-x86.exe or setup-x86_64.exe using https; https causes the user's web browser to authenticate the data source. Downloading these executables wasn't protected by https at one time (see my report https://cygwin.com/ml/cygwin/2015-02/msg00875.html), but that has been fixed (https://cygwin.com/ml/cygwin/2015-02/msg00896.html). 3. The Cygwin key is embedded in the setup program. The setup program has the Cygwin public key embedded in it, so the Cygwin public key is protected by the previous step. You can confirm this by looking at the setup project (http://sourceware.org/cygwin-apps/setup.html) source code via a git clone, and looking at file "cyg-pubkey.h" which is automatically generated from file "cygwin.pub". 4. The package list (setup.{ini,bz2}) has its digital signature checked. The setup program downloads from some mirror site the latest package list "setup.bz2" (compressed) or "setup.ini" (uncompressed). The package list not only lists the official Cygwin packages, but it also includes their cryptographic hashes. The setup program also gets the relevant ".sig" (signature) file. A mirror could corrupt the package list or signature, but this is countered because the setup program checks that the package list is correctly signed using the public key embedded in the setup program (you have to use the "-X" option to NOT check signatures). The setup program also checks the setup.{bz2,ini} timestamp/version and reports to the user if the file goes backwards in time; that process detects downgrade attacks (e.g., where an attacker sends an old signed setup.ini file). 5. The possibly-updated packages to be installed are downloaded and their cryptographic hashes (from the signed setup.ini file) are checked. Currently (as of 2015-03-08) Cygwin uses MD5 cryptographic hashes. As long as MD5 is accepted then Cygwin is vulnerable to MITM, because MD5 is a totally broken algorithm. E.g., in 2012 the Flame malware exploited MD5 to fake a Microsoft digital signature. However, the 2015-02-06 update of setup*.exe added support for SHA-512 (e.g., see https://cygwin.com/ml/cygwin/2015-02/msg00093.html), and "we're going to switch to using SHA512 checksums in the setup.ini files in a couple of weeks and this requires all of you to use the newer Setup version." There are no known practical exploits of SHA-512 (part of SHA-2). Obviously this argument doesn't discuss other attacks (e.g., is the cygwin.com server adequately countering attack, is the Cygwin private key protected, are files protected as they come from developers, etc.). But I think it's important to know about MITM. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple