X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:from:date:message-id:subject:to
	:content-type; q=dns; s=default; b=IPdC/gg4XmUtnPGDFm1bf38Davn60
	WfTWsBvKbWD4Yeh/ZG/+wTcmTSb0tcsU/jPoVfm4kY+qxip9/lnSncNhhihzffRT
	4LkmkIRezVdhA/ifFu46a8VWeFYp8qzo4F2MTgywHUNHkfBHClpxBIhIlrmt87pB
	FgDMicZ1W0rrOs=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:from:date:message-id:subject:to
	:content-type; s=default; bh=qhv6uzB3KswawfZd3ncfI3//txY=; b=LxN
	+23EyqzwWI8pxTKm8gW5tfvJGlcSiLFWJCzaJYO/Y5FQs66R9wIx6yh9ivWz7Tlh
	iSroPO0bvKD0NSspOPtiRMZCdtpLG8PpvcougoZfkXjTOFZBco/6EyilUV+ARHSI
	yMO4FoCfWt2uClEagiBefu4reQzEFXEocfDn0KvI=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=-1.4 required=5.0 tests=AWL,BAYES_00,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.1 spammy=browser, attack, ssl, HX-Languages-Length:802
X-HELO: mail-vs1-f54.google.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;        d=gmail.com; s=20161025;        h=mime-version:from:date:message-id:subject:to;        bh=Cx340X+6ddNDK2PUlwyH8atzlcfoyPQmalKvA7s8rnk=;        b=fZRnVdcIdkKF6/6Pd3FUNGkouwKyrxRHBiv8V0D1aEfZPKK0CreDrltls0zbjpm+4v         eFSMlmmioEB7j5SldGbIxLIIaYDGKVyIL1XckvrQIxzK2Lj1Rkr6Ew82tOfzI6KLCqHc         Sjn9/Bsxn5VrJi1aUQ/sUpQUemww6uJqJtVZESrVr38ga6OaCLw/jatH1KTIRAXNTL0r         P7q1MKEmP2kfiHl9KcPY+xg/lcOafBzxK0jLWdahjBrk/UbXIhtAUCoIpmAHINsbK4sB         C2JAWMMKrT9S/xKdg3lvpgRzFEqKFkCCOdJQUhKe5DzABUIL3ZuzDIYhM/nXhNHPoh3x         IaKA==
MIME-Version: 1.0
From: Archie Cobbs <archie DOT cobbs AT gmail DOT com>
Date: Sat, 9 Mar 2019 22:54:29 -0600
Message-ID: <CANSoFxtW0Jb1M5KfkFGGOxec_D8ysyYCrnk_PXWjHobLDXZauQ@mail.gmail.com>
Subject: SSL not required for setup.exe download
To: cygwin AT cygwin DOT com
Content-Type: text/plain; charset="UTF-8"
X-IsSubscribed: yes

The FAQ states:

    The Cygwin website provides the setup program (setup-x86.exe or
setup-x86_64.exe) using HTTPS (SSL/TLS).

While this is true, it's not mandatory.

If one happens to go to HTTP://www.cygwin.com instead of
HTTPS://www.cygwin.com, then neither the page you are viewing (which
contains the setup.exe download link), nor the setup.exe download link
itself are secured via SSL.

So someone who just types "cygwin.com" into the browser location bar
and clicks on the setup.exe link is vulnerable to a MTM attack.

It would be safer if http://www.cygwin.com always redirected you to
https://www.cygwin.com, where the page and the link are SSL.

Is there any reason not to force this redirect and close this security hole?

-Archie

--
Archie L. Cobbs

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple