X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:reply-to:subject:to:references:from:message-id
	:date:mime-version:in-reply-to:content-type
	:content-transfer-encoding; q=dns; s=default; b=DhJ5oWhGCtLXIHGS
	wqXANgSv0adStQOoZZ/zt3kCsaWPKfIV4Xj+/KzSeGQ1dqDTA9Pg3JEQQ8dw2l7e
	6toigdKocvVIs7zV97cetXsNhHiVFLtGXyD83AcAKJtzq5Y4XrGIp0z85RYAL2+7
	IxzmNKQVWogJz+b1/+jWVEst1z8=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:reply-to:subject:to:references:from:message-id
	:date:mime-version:in-reply-to:content-type
	:content-transfer-encoding; s=default; bh=nah8OdpO3Bb7eCz3IBsAIb
	oZBcs=; b=O3EeVydMByhmcE6tRRwcMZUW6kF/V7/6rQyj8NqdbJMf+vIJC4Zydw
	/1Mih0Yk+JcmB5HtHpgHA7ymxZ85p6Q0RtZb4patPbqvNwj1bqIBBlIzA+warHFY
	UZ1PZVXUCKegXKPjUPmIsQEbEOAS6bbvIzxPs0zg5u9Sz8pe45hZw=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=-2.8 required=5.0 tests=AWL,BAYES_00,RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 spammy=HX-Languages-Length:1026
X-HELO: smtp-out-so.shaw.ca
Reply-To: Brian DOT Inglis AT SystematicSw DOT ab DOT ca
Subject: Re: SSL not required for setup.exe download
To: cygwin AT cygwin DOT com
References: <CANSoFxtW0Jb1M5KfkFGGOxec_D8ysyYCrnk_PXWjHobLDXZauQ AT mail DOT gmail DOT com> <fcfccbe3-a4e3-2f75-a2f4-23d12abc5a70 AT SystematicSw DOT ab DOT ca> <5C859BB7 DOT 4040900 AT tlinx DOT org> <CANSoFxtRQrwe4TAWweswXC94d5hzyt--M6BaR4Dcg1yBVqh1GQ AT mail DOT gmail DOT com>
From: Brian Inglis <Brian DOT Inglis AT SystematicSw DOT ab DOT ca>
Openpgp: preference=signencrypt
Message-ID: <35afcb0a-7494-9d13-02f3-b3d21f33e810@SystematicSw.ab.ca>
Date: Mon, 11 Mar 2019 07:13:40 -0600
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.5.3
MIME-Version: 1.0
In-Reply-To: <CANSoFxtRQrwe4TAWweswXC94d5hzyt--M6BaR4Dcg1yBVqh1GQ@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-IsSubscribed: yes

On 2019-03-10 21:53, Archie Cobbs wrote:
> On Sun, Mar 10, 2019 at 6:20 PM L A Walsh <cygwin AT tlinx DOT org> wrote:
>>>> It would be safer if http://www.cygwin.com always redirected you to
>>>> https://www.cygwin.com, where the page and the link are SSL.
>>>> Is there any reason not to force this redirect and close this security hole?
>>
>>     I think the point is that if you redirect and a client can't
>> speak https, what happens?  Wouldn't they get an error that would
>> prevent them from using the site?
> 
> I guess so. Can you name any such client?

Dillo and likely others on:

	https://en.wikipedia.org/wiki/Comparison_of_lightweight_web_browsers

and clients for RTEMS and other embedded platforms supported by newlib, musl,
and similar libraries, that are too limited to support TLS, HTTPS, etc.

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple