Web lists-archives.com

SSL not required for setup.exe download




The FAQ states:

    The Cygwin website provides the setup program (setup-x86.exe or
setup-x86_64.exe) using HTTPS (SSL/TLS).

While this is true, it's not mandatory.

If one happens to go to HTTP://www.cygwin.com instead of
HTTPS://www.cygwin.com, then neither the page you are viewing (which
contains the setup.exe download link), nor the setup.exe download link
itself are secured via SSL.

So someone who just types "cygwin.com" into the browser location bar
and clicks on the setup.exe link is vulnerable to a MTM attack.

It would be safer if http://www.cygwin.com always redirected you to
https://www.cygwin.com, where the page and the link are SSL.

Is there any reason not to force this redirect and close this security hole?

-Archie

--
Archie L. Cobbs

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple