X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:from:subject:reply-to:to:references:message-id
	:date:mime-version:in-reply-to:content-type
	:content-transfer-encoding; q=dns; s=default; b=LqAt0jgCdJp8MxWF
	ANCTGKOiXfkJJJVuqXTIg7kbvUxGlwmohtB9vjlqi2d0vTKz1SKypF3/tC6CVsAT
	blfVdIY/D/b1sshNwI1eGMmRX+k/XuPUQKAEBtzL1fpCmDYbC+5Y2gs9Lw7soi0W
	GjwDoh/IUPqn98A4g1gs3g9umW4=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:from:subject:reply-to:to:references:message-id
	:date:mime-version:in-reply-to:content-type
	:content-transfer-encoding; s=default; bh=ItlFBYPyx7LBz+IUl0Fhsg
	BIF74=; b=aVq7DLFiW6g7tKlmPJV4/cOn1+pfTIPhrbKzzq+EZTji2HaOqrg2XI
	0fUN9xbu8UtJO55nDwBXxyN6PsvtrBuJMapf1MEXZc9sRUzIB6/LfNdAKnalewhx
	WwXh8tFb8EvOlukpGJLSFZPQSWGpi8lhXxtS2Dx/KzVx+h4q0KA5E=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=-2.9 required=5.0 tests=AWL,BAYES_00,RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 spammy=browser, attack
X-HELO: smtp-out-so.shaw.ca
From: Brian Inglis <Brian DOT Inglis AT SystematicSw DOT ab DOT ca>
Subject: Re: SSL not required for setup.exe download
Reply-To: Brian DOT Inglis AT SystematicSw DOT ab DOT ca
To: cygwin AT cygwin DOT com
References: <CANSoFxtW0Jb1M5KfkFGGOxec_D8ysyYCrnk_PXWjHobLDXZauQ AT mail DOT gmail DOT com>
Openpgp: preference=signencrypt
Message-ID: <fcfccbe3-a4e3-2f75-a2f4-23d12abc5a70@SystematicSw.ab.ca>
Date: Sun, 10 Mar 2019 08:16:47 -0600
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.5.3
MIME-Version: 1.0
In-Reply-To: <CANSoFxtW0Jb1M5KfkFGGOxec_D8ysyYCrnk_PXWjHobLDXZauQ@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-IsSubscribed: yes

On 2019-03-09 21:54, Archie Cobbs wrote:
> The FAQ states:
>     The Cygwin website provides the setup program (setup-x86.exe or
> setup-x86_64.exe) using HTTPS (SSL/TLS).
> While this is true, it's not mandatory.
> If one happens to go to HTTP://www.cygwin.com instead of
> HTTPS://www.cygwin.com, then neither the page you are viewing (which
> contains the setup.exe download link), nor the setup.exe download link
> itself are secured via SSL.
> So someone who just types "cygwin.com" into the browser location bar
> and clicks on the setup.exe link is vulnerable to a MTM attack.
> It would be safer if http://www.cygwin.com always redirected you to
> https://www.cygwin.com, where the page and the link are SSL.
> Is there any reason not to force this redirect and close this security hole?

The whole sourceware.org site include cygwin.com uses HSTS which compliant
supporting clients can use to switch to communicating over HTTPS.
Clients which are not compliant or don't support HTTPS may still download the
programs and files.

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple