X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:reply-to:message-id:to:subject
	:in-reply-to:references:mime-version:content-type
	:content-transfer-encoding; q=dns; s=default; b=J63SsoXjeRvXM2mf
	/G0VwMOuFUNCDiE77rQqdhT6Prf0hiBirVApgWiM3Wq3Csi/gzncEwpsouFHu1wU
	X44BZtXr0i1RIZ27LiNVicFcs0MEV4IyazN50wPYL7m8gvGw0MN/wCUy7ZAxA0Rk
	XJk8cYqLumuP+frmTX8yGZXFEJU=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:reply-to:message-id:to:subject
	:in-reply-to:references:mime-version:content-type
	:content-transfer-encoding; s=default; bh=DxNcB9QVE2AXxZf4N/y8rX
	UqQlM=; b=c9fn2CMac2fcNfJ0rmHG8N7KbJ89tPNHtuSzb4SHugH+kyg81q+Qrb
	job/BdXQUnB13O98cRJ/R4aYi++0N/U28cg9rQFRhST9Eh6qnKq+V9k2SLmzkXGc
	4KiDofTFoRt4j5z5d2aTlEflJ9t/n0fbvtCVw1jES92+w3KxzK+SI=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=1.2 required=5.0 tests=BAYES_20,FREEMAIL_FROM,KAM_THEBAT,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=no version=3.3.1 spammy=HX-Priority:Normal, UD:ru, english, Sunday
X-HELO: forward103j.mail.yandex.net
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1552224909;	bh=2tRsrupa3NmTcYfUQVHd4ILe5CBrkmGASqbtenbbYwo=;	h=In-Reply-To:Subject:To:Reply-To:From:Message-ID:References:Date;	b=vx0ztPBim2Pdkhq8il82GIVvDH59fRldAbZNLKK0KdunezbhBOiWZ6Yb0cI81T05f	 OxKc7aEdj17RQoeA2zl0zZ3zYaUUIIjiWXM0tGE/njKsD5PbxhZTDQ8mxzpe4NfDl1	 Eu6kWxHdxRhzr7xmPI6Qr8W0oVpPQrAhYFByJG2M=
Authentication-Results: mxback13g.mail.yandex.net; dkim=pass header.i=@yandex.ru
Date: Sun, 10 Mar 2019 16:29:57 +0300
From: Andrey Repin <anrdaemon AT yandex DOT ru>
Reply-To: cygwin AT cygwin DOT com
Message-ID: <924339539.20190310162957@yandex.ru>
To: Archie Cobbs <archie DOT cobbs AT gmail DOT com>, cygwin AT cygwin DOT com
Subject: Re: SSL not required for setup.exe download
In-Reply-To: <CANSoFxtW0Jb1M5KfkFGGOxec_D8ysyYCrnk_PXWjHobLDXZauQ@mail.gmail.com>
References: <CANSoFxtW0Jb1M5KfkFGGOxec_D8ysyYCrnk_PXWjHobLDXZauQ AT mail DOT gmail DOT com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-IsSubscribed: yes

Greetings, Archie Cobbs!

> The FAQ states:

>     The Cygwin website provides the setup program (setup-x86.exe or
> setup-x86_64.exe) using HTTPS (SSL/TLS).

> While this is true, it's not mandatory.

> If one happens to go to HTTP://www.cygwin.com instead of
> HTTPS://www.cygwin.com, then neither the page you are viewing (which
> contains the setup.exe download link), nor the setup.exe download link
> itself are secured via SSL.

> So someone who just types "cygwin.com" into the browser location bar
> and clicks on the setup.exe link is vulnerable to a MTM attack.

> It would be safer if http://www.cygwin.com always redirected you to
> https://www.cygwin.com, where the page and the link are SSL.

> Is there any reason not to force this redirect and close this security hole?

If you care that much, you would use https.
If not, then I see no reason to bend to hysteric crowd.


-- 
With best regards,
Andrey Repin
Sunday, March 10, 2019 16:29:01

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple