X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:message-id:date:from:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; q=dns; s=default; b=JQvfyXHIs//xOylL 01RB29FPhoUlJiGIGBkO3FZCshAdzFV9e8QbWBDqUznz6HC9QuU6LFJ22rOyvZJK vCVVM6E1uBtUfmwW6MBk9kFCPPxqQFjZmjt+Hz7iGdd1Wpc11JsdM6YfrhRrxGNl FdPiB9/2fRV18l99sBjbBKxKDyQ= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:message-id:date:from:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; s=default; bh=zfsb77O1XGAhUWF8s8MS50 OF2yQ=; b=ivX2fmB5n+xUY5EQkLggbOjZIBS042V9DKByI22I8KS8JUEokJOLKB aKXdnGTuK3+2V9IwJ5Y6tkMD4rNrXzYeJ/Cc/zZSvpektVMHb64tk0w0cV8vsq1+ qJ3ssoxfaj6sExPWKGh2V/4fprWWgtoj8v76Fq86TiniqEvP4NsK4= Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-6.1 required=5.0 tests=AWL,BAYES_00,GIT_PATCH_2 autolearn=ham version=3.3.1 spammy=ensuring, well-known, wellknown, citizens X-HELO: Ishtar.sc.tlinx.org Message-ID: <5C866129.1090605@tlinx.org> Date: Mon, 11 Mar 2019 06:22:49 -0700 From: L A Walsh User-Agent: Thunderbird MIME-Version: 1.0 To: archie DOT cobbs AT gmail DOT com CC: cygwin AT cygwin DOT com Subject: Re: SSL not required for setup.exe download References:

<5C859BB7 DOT 4040900 AT tlinx DOT org> In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-IsSubscribed: yes On 3/10/2019 8:53 PM, Archie Cobbs wrote: > On Sun, Mar 10, 2019 at 6:20 PM L A Walsh wrote: > >>>> It would be safer if http://www.cygwin.com always redirected you to >>>> https://www.cygwin.com, where the page and the link are SSL. >>>> Is there any reason not to force this redirect and close this security hole? >>>> >> I think the point is that if you redirect and a client can't >> speak https, what happens? Wouldn't they get an error that would >> prevent them from using the site? >> > > I guess so. Can you name any such client? > --- Depends on the site, but for several months my browser would get an error if I tried to goto my distro's website. They implemented hsts, but were using an insecure encryption that my browser had enabled. So now I try to only use their unencrypted channels for distro-download, among other things. As for others, and companies, such information is proprietary. Why would people advertise they are using a browser that doesn't speak the latest fad? If you are asking for a mainstream browser, forget it, you'd have to write your own software or make changes in one. But any browser that is open source could be configured to disable https on non-sensitive sites, though eventually, intercepting only encrypted material and ensuring that the browsers honor well-known CA's, that have had keys requested under government security letters that forbid any spread of such interception will get them most of what they want. It's all in the name of protecting the citizens, of course...and the children: think of the children (yeah, a bit of hyperbole here, but that doesn't mean it can't be true). -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple