X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:reply-to:subject:to:references:from:message-id :date:mime-version:in-reply-to:content-type :content-transfer-encoding; q=dns; s=default; b=ruRc1r9pPbyvnSrk 9KgkOXzFqwixlZgOyy/B++tXqzNEggeopIVneHElN+LCbCwbVYztY5JgYrsBR7+P sTHNhmGrYknwYVFtp/4atCaESGHLrPNK9ZW4phynj1RHh9oT4le+h5qay0qh4Zqq OdGLAquJNOfcXv1UD9ubMeY8niw= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:reply-to:subject:to:references:from:message-id :date:mime-version:in-reply-to:content-type :content-transfer-encoding; s=default; bh=cm1BC3m0ZFIics0QQfJmXp TXa2A=; b=LgxlKvneYVHqxtvkv3CUMUFXr0zapQaypk4XfI3c7bpeCVil3kP3zg uaVOd7Ptpwv44hVCqMAPK+bHSYOiTZoezNU8NUuSiPGb8e3m+3qnNxr+ZMfGF2Y7 MNGlgqjANZb2RyF1ivuyhmMIqdK2IZgmIbHIr4QPG5U07tZ8BDc8A= Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-2.7 required=5.0 tests=AWL,BAYES_00,RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 spammy=HX-Languages-Length:1785, attack X-HELO: smtp-out-so.shaw.ca Reply-To: Brian DOT Inglis AT SystematicSw DOT ab DOT ca Subject: Re: SSL not required for setup.exe download To: cygwin AT cygwin DOT com References: <1a840c2e-55ac-0ab4-66c4-a1f6a2c4f81a AT Shaw DOT ca> <41f12842-ea43-ff63-a660-26ee3b497c63 AT SystematicSw DOT ab DOT ca> From: Brian Inglis Openpgp: preference=signencrypt Message-ID: <1b570593-0ec7-0890-26ef-7e7468534f47@SystematicSw.ab.ca> Date: Mon, 11 Mar 2019 13:42:45 -0600 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.5.3 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-IsSubscribed: yes On 2019-03-11 07:43, Archie Cobbs wrote: > On Sun, Mar 10, 2019 at 10:51 PM Brian Inglis wrote: >>>>> Is there any reason not to force this redirect and close this security hole? >> There are apparently reasons not to force this redirect as it can also cause a >> security hole. > That's really interesting. Can you provide more detail? Search for HTTP HTTPS redirection SSL stripping MitM attack >>>> The whole sourceware.org site include cygwin.com uses HSTS which compliant >>>> supporting clients can use to switch to communicating over HTTPS. >>>> Clients which are not compliant or don't support HTTPS may still download the >>>> programs and files. >>> I don't see how HSTS solves the particular issue that I'm referring to. >> HSTS redirects requests from port 80 to 443 (HTTPS). > Not for me. Well, actually I'm getting inconsistent results... > On Mac OS X, neither Firefox, Chrome nor Safari will redirect to SSL. > On an old Windows 7 system, neither IE 8 (no surprise there) or Chrome > redirects. > However, with Chrome, it does not redirect at first, but once I've > manually entered https://www.cygwin.com it seems to "realize" that a > secure site exists, and after that it starts redirecting to SSL. > I can revert that behavior by clearing the cache. > So it seems in the case of Chrome, it has to be "taught" about the > existence of the secure site... which of course takes us right back to > the original problem. Some sites, proxies, and CDNs respond with HTTP/1.0 302 Found and redirects to HTTPS:443 followed by the HTTP header. -- Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada This email may be disturbing to some readers as it contains too much technical detail. Reader discretion is advised. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple