X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:reply-to:subject:to:references:from:message-id :date:mime-version:in-reply-to:content-type :content-transfer-encoding; q=dns; s=default; b=vQ7rnpLLuA9Tja1p wTjJVpCBop5r6lv5c3eYPjivW5N+1yX22Oeuy0Hfr2NKj3FXtRgJeiJn/nZpOUYw Ro9DsNNxZoQdgKWkObTQGvc3vhFZAcxPVKLfzFWbSYJtBqiXI/S2D4upkmD4pl0/ ig+lbRC/d+Q6+XIeI3fBL30vMSE= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:reply-to:subject:to:references:from:message-id :date:mime-version:in-reply-to:content-type :content-transfer-encoding; s=default; bh=rFu+K7OBZrmra964JBKpiF NSHrE=; b=vZ6RLoBW1xZGXyvquZXYxPuOG+xOHNEfK+OGb8E2grxANHLwlsBMFI imc1PE64V/QSieJ+a8TP27q5sCtjjvyoR5D9W3mtBTqOp6LSk04fD3qGbOUYrosI JzvIUorc6M5TzPjtcFUVF8vvAZlx5XXlj97DBShQv2kgb5ZdupaWs= Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-0.4 required=5.0 tests=AWL,BAYES_00,EXECUTABLE_URI,KAM_EXEURI,RCVD_IN_DNSWL_LOW autolearn=no version=3.3.1 spammy=burden, attack X-HELO: smtp-out-so.shaw.ca Reply-To: Brian DOT Inglis AT SystematicSw DOT ab DOT ca Subject: Re: SSL not required for setup.exe download To: cygwin AT cygwin DOT com References: <1a840c2e-55ac-0ab4-66c4-a1f6a2c4f81a AT Shaw DOT ca> <41f12842-ea43-ff63-a660-26ee3b497c63 AT SystematicSw DOT ab DOT ca> <1b570593-0ec7-0890-26ef-7e7468534f47 AT SystematicSw DOT ab DOT ca>

From: Brian Inglis Openpgp: preference=signencrypt Message-ID: Date: Tue, 12 Mar 2019 08:31:38 -0600 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.5.3 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-IsSubscribed: yes On 2019-03-12 07:47, Archie Cobbs wrote: > On Mon, Mar 11, 2019 at 6:00 PM Lee wrote: >>> I must say I'm surprised so many people think it's a good idea to >>> leave cygwin open to trivial MITM attacks, which is the current state >>> of affairs. >> But it's only open to a trivial MITM attack if the user types in >> "http://cygwin.com" - correct? Why isn't the fix "don't do that"? > Because security that rests on assuming humans will always do the > correct thing has proven to be unreliable (understatement). >>> This is my opinion only of course, but if cygwin wants to have any >>> security credibility, it should simply disallow non-SSL downloads of >>> setup.exe. Otherwise the chain of authenticity is broken forever. >> They sign setup.exe, so "the chain of authenticity" is there regardless. >> https://cygwin.com/setup-x86_64.exe >> https://cygwin.com/setup-x86_64.exe.sig > I don't see your point. > Downloading the sig file over HTTP is useless... any attacker going to > the trouble to launch a MITM attack for setup.exe will certainly also > do it for the sig file as well. > OTOH, if you download the file over HTTPS.. then your client supports > SSL. Which is exactly what I'm saying should be mandatory. Forcing TLS means blocking anyone who for any reason can not use TLS: this is a performance and support burden compared to allowing both HTTP:80 and HTTPS:443. Same reasons most ISPs/ASes/orgs don't filter or validate packet source IP addresses per BCP 38 which would stop most abuses! -- Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada This email may be disturbing to some readers as it contains too much technical detail. Reader discretion is advised. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple