X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:in-reply-to:references:from:date
	:message-id:subject:to:content-type; q=dns; s=default; b=nR0iNcQ
	7V/SBdQsAwQj+Vc8n5FcIaGr3Yaui3bqdu20w4tCyF5wIsPXjXhpW6CVON1zF++W
	ruLwO/g1cxZJy6uib/bLP1FEarMVwRV9/o7GxRyLsUWsLo3HenQ+iH0LeukG1Rmy
	hbbVozhy1nUlUtWQKxX62ID8hU0XEm7ZP2uE=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:in-reply-to:references:from:date
	:message-id:subject:to:content-type; s=default; bh=UKmcUBMi/5PtT
	8cMg24XDJBYaoQ=; b=dp6ck1KOw0TFUYjBhafFsdXUN4qagXl+pH56erG4DI4LR
	FQVaWXSU+VuZfPed9lbXVZ3mNa+OeJgtk83Bxaf6d3KqqkThKLSP1MtgCSeOqWmr
	sU5NWZhfZC4MGNtQ4/z5WaOzqEHc4diTdnl2FVLJpHYgo5udtkVdk6JqCZ+XcM=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=2.6 required=5.0 tests=AWL,BAYES_40,EXECUTABLE_URI,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,KAM_EXEURI,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=no version=3.3.1 spammy=certified, proven, sk:setup-x, setupx86_64exesig
X-HELO: mail-qt1-f178.google.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;        d=gmail.com; s=20161025;        h=mime-version:in-reply-to:references:from:date:message-id:subject:to;        bh=aWjeQeS9MkOXRqM6YQrd7v1MHLPMdWre+JMrU/9i6ag=;        b=guLzLca3qzr/aQ8J8nKXbPewqWyrkGren2P7Z4vYmUmsKQemlO0hzWkd1eUBSuAB6Z         nKk6MGDAX9nku+ALqi9kPTN/kRUEpKKl8QcMkSYBtrAQi6nLpmB7ywdgB7XV82Aax9FF         DZbJHUWRIR5tjEwDnuhcxZ2X12OIFZZ4wAHqnwRk3tqCQHyxwV9HRJ4ByY+CgoPEZyw8         DQI50i2+pEfJrOeyEXoZWvYmGhw7mu3dj8N5crNQDc72dTPBKv6gg7ypkqawC2xqlJ0Q         iKc+b/yEHwk7xT5NV2Yx+5oGa8aFokyyj3hCiuVMs8jRfgDrqKKXqddYNc6PIw4+I83H         8GXA==
MIME-Version: 1.0
In-Reply-To: <CANSoFxu7sNUqP3zSKHiFULBrvOkhPFRuc8MyAHojAGFNu-O_xQ@mail.gmail.com>
References: <CANSoFxtW0Jb1M5KfkFGGOxec_D8ysyYCrnk_PXWjHobLDXZauQ AT mail DOT gmail DOT com> <1a840c2e-55ac-0ab4-66c4-a1f6a2c4f81a AT Shaw DOT ca> <CANSoFxtA0vnF1adx4rwyjuMasrVAOGb8hT_Uct-wSdcazj252w AT mail DOT gmail DOT com> <41f12842-ea43-ff63-a660-26ee3b497c63 AT SystematicSw DOT ab DOT ca> <CANSoFxtLzGgcOhrsu4h0eXXnpezB6v17cGwOrqy6SjSvJ__gLA AT mail DOT gmail DOT com> <1b570593-0ec7-0890-26ef-7e7468534f47 AT SystematicSw DOT ab DOT ca> <CANSoFxsq+5OfRH7RF3QdpMSJU-4JAKSCZM-rUUysP5Y3myR0+Q AT mail DOT gmail DOT com> <CAD8GWsu+P_d8RCiibkZ068oRAf8yeu=W5CLFO+ZNXGxjUcBOpw AT mail DOT gmail DOT com> <CANSoFxu7sNUqP3zSKHiFULBrvOkhPFRuc8MyAHojAGFNu-O_xQ AT mail DOT gmail DOT com>
From: Lee <ler762 AT gmail DOT com>
Date: Tue, 12 Mar 2019 15:58:54 -0400
Message-ID: <CAD8GWstONGL86FBAOsRf1w6ORDh3QawBDsuZDf+KQtAAR1_TVA@mail.gmail.com>
Subject: Re: SSL not required for setup.exe download
To: cygwin AT cygwin DOT com
Content-Type: text/plain; charset="UTF-8"
X-IsSubscribed: yes

On 3/12/19, Archie Cobbs  wrote:
> On Mon, Mar 11, 2019 at 6:00 PM Lee wrote:
>> > I must say I'm surprised so many people think it's a good idea to
>> > leave cygwin open to trivial MITM attacks, which is the current state
>> > of affairs.
>>
>> But it's only open to a trivial MITM attack if the user types in
>> "http://cygwin.com" - correct?  Why isn't the fix "don't do that"?
>
> Because security that rests on assuming humans will always do the
> correct thing has proven to be unreliable (understatement).
>
>> > This is my opinion only of course, but if cygwin wants to have any
>> > security credibility, it should simply disallow non-SSL downloads of
>> > setup.exe. Otherwise the chain of authenticity is broken forever.
>>
>> They sign setup.exe, so "the chain of authenticity" is there regardless.
>>   https://cygwin.com/setup-x86_64.exe
>>   https://cygwin.com/setup-x86_64.exe.sig
>
> I don't see your point.
>
> Downloading the sig file over HTTP is useless... any attacker going to
> the trouble to launch a MITM attack for setup.exe will certainly also
> do it for the sig file as well.

Have you ever used gpg?  It tells you who signed the file:
$ gpg --verify cygwinSetup-x86_64.exe.sig cygwinSetup-x86_64.exe
gpg: Signature made Sun, Oct 21, 2018 12:02:34 PM EDT
gpg:                using DSA key 0xA9A262FF676041BA
gpg: Good signature from "Cygwin <cygwin AT cygwin DOT com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5  9232 A9A2 62FF 6760 41BA

So even if someone was able to hijack cygwin.com, the files I
downloaded won't verify.

and yes.. gpg key usage tends to devolve to 'trust on first use' but
even so, it still seems better than most alternatives.

Regards,
Lee

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple