X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:date:from:mime-version:to:subject
	:references:in-reply-to:content-type:content-transfer-encoding;
	 q=dns; s=default; b=XoVnEJYfe6C2OFMGuGWigkJIgjnjWWd/eHAzqOyCqz1
	QSQ7rdhqQ5W07l6nWL6GE6xpm3Dsq9yRiYZbx4wBajFbBm35A1m6QmpX29f6nkwe
	bD5+n8C4hJis3Bb3calzkvCKerRo4gF+uK2SQK7jqB9d4zI33mf4eT+V+eVGiF1k
	=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:date:from:mime-version:to:subject
	:references:in-reply-to:content-type:content-transfer-encoding;
	 s=default; bh=OmlxbWmrFirZRls3tFafiBeWrEc=; b=nRGYICjP6eTbTpei+
	VyuK14y20EPrvNDTCHh9WLxTxnBCSvczGFzL/zx89aDK1kbQ0cWs7besv6LvKFbP
	J+WBXrNO59JrBaqRwgAKfoH/h3Q+Q8RWBxRGmY65btCl852nRihdAH1YmCa/LwzP
	H0bFnd1avxzT5azjMDOplKbG0I=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=-5.7 required=5.0 tests=AWL,BAYES_00,GIT_PATCH_2 autolearn=ham version=3.3.1 spammy=harder, Google, google, site
X-HELO: Ishtar.sc.tlinx.org
Message-ID: <5C859BB7.4040900@tlinx.org>
Date: Sun, 10 Mar 2019 16:20:23 -0700
From: L A Walsh <cygwin AT tlinx DOT org>
User-Agent: Thunderbird
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: Re: SSL not required for setup.exe download
References: <CANSoFxtW0Jb1M5KfkFGGOxec_D8ysyYCrnk_PXWjHobLDXZauQ AT mail DOT gmail DOT com> <fcfccbe3-a4e3-2f75-a2f4-23d12abc5a70 AT SystematicSw DOT ab DOT ca>
In-Reply-To: <fcfccbe3-a4e3-2f75-a2f4-23d12abc5a70@SystematicSw.ab.ca>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-IsSubscribed: yes

On 3/10/2019 7:16 AM, Brian Inglis wrote:
> On 2019-03-09 21:54, Archie Cobbs wrote:
>> It would be safer if http://www.cygwin.com always redirected you to
>> https://www.cygwin.com, where the page and the link are SSL.
>> Is there any reason not to force this redirect and close this security hole?
>>     
----
    I think the point is that if you redirect and a client can't
speak https, what happens?  Wouldn't they get an error that would
prevent them from using the site?

    Google has a vested interest in getting people locked in on
https -- makes it much harder for people to use proxies and lower
their requests to google and for them to block some requests.  They get
to control what you get -- not you.

>
> The whole sourceware.org site include cygwin.com uses HSTS which compliant
> supporting clients can use to switch to communicating over HTTPS.
> Clients which are not compliant or don't support HTTPS may still download the
> programs and files.
>
>   

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple