X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:reply-to:subject:to:references:from:message-id :date:mime-version:in-reply-to:content-type :content-transfer-encoding; q=dns; s=default; b=OnaZPtEzzXdgU7n0 24lzKumNdqwbvqA84ddqShDhVGhakKIvo202UShY0CH8/MqZTI8fO5HvkX8KsPTh /kyHuBQW/w3INiB7RFc3p2mRxUQeyqlvBHLAlWvYRlYPhNkv/LiLk9CwLx88AyoD PVdSxN7tkTvgFy3YhkLo1uPa+o8= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:reply-to:subject:to:references:from:message-id :date:mime-version:in-reply-to:content-type :content-transfer-encoding; s=default; bh=ysFp91SxQCBkJIKYw2uIfh D8Xe4=; b=mFbraVuCusp0zWvfbqsN2frp8/GnZ5Y+ypJ3/2lELVm3gu0iP49RRP RiGIDWgTo+ddySZRx3p/wxNSFNztwOKpEjfBpZrpR+/o75ehv60jXjo1tMw+N+71 FQmsrXGDFdea2JTvWDHKQYz2crhJtsw/jMK5ZGsM82TdL/y39jDKs= Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-2.8 required=5.0 tests=AWL,BAYES_00,RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 spammy= X-HELO: smtp-out-so.shaw.ca Reply-To: Brian DOT Inglis AT SystematicSw DOT ab DOT ca Subject: Re: SSL not required for setup.exe download To: cygwin AT cygwin DOT com References: <1a840c2e-55ac-0ab4-66c4-a1f6a2c4f81a AT Shaw DOT ca> From: Brian Inglis Openpgp: preference=signencrypt Message-ID: <41f12842-ea43-ff63-a660-26ee3b497c63@SystematicSw.ab.ca> Date: Sun, 10 Mar 2019 21:50:56 -0600 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.5.3 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-IsSubscribed: yes On 2019-03-10 10:40, Archie Cobbs wrote: > On Sun, Mar 10, 2019 at 9:16 AM Brian Inglis wrote: >>> Is there any reason not to force this redirect and close this security hole? There are apparently reasons not to force this redirect as it can also cause a security hole. >> The whole sourceware.org site include cygwin.com uses HSTS which compliant >> supporting clients can use to switch to communicating over HTTPS. >> Clients which are not compliant or don't support HTTPS may still download the >> programs and files. > > I don't see how HSTS solves the particular issue that I'm referring to. HSTS redirects requests from port 80 to 443 (HTTPS). > HSTS only applies to connections that are *already* using HTTPS. > Quoting Wikipedia: > > HSTS mechanism overview > > A server implements an HSTS policy by supplying a header over an > HTTPS connection (HSTS headers over HTTP are ignored). The HSTS Mechanism is a small part of the HSTS implementation: https://tools.ietf.org/html/rfc6797 and the wiki article may not be a good description. > In any case, the problem I'm talking about is trivial to verify. Just > start up Chrome or Firefox and enter http://www.cygwin.com. You can > then confirm that (a) the page you are looking at has an http:// URL, > and (b) the link to setup.exe also has an http:// URL. Therefore, > there is no real security in this scenario. I only get to see https://www.cygwin.com/ YMMV -- Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada This email may be disturbing to some readers as it contains too much technical detail. Reader discretion is advised. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple