Web lists-archives.com

Re: SSL not required for setup.exe download




Greetings, Archie Cobbs!

> The FAQ states:

>     The Cygwin website provides the setup program (setup-x86.exe or
> setup-x86_64.exe) using HTTPS (SSL/TLS).

> While this is true, it's not mandatory.

> If one happens to go to HTTP://www.cygwin.com instead of
> HTTPS://www.cygwin.com, then neither the page you are viewing (which
> contains the setup.exe download link), nor the setup.exe download link
> itself are secured via SSL.

> So someone who just types "cygwin.com" into the browser location bar
> and clicks on the setup.exe link is vulnerable to a MTM attack.

> It would be safer if http://www.cygwin.com always redirected you to
> https://www.cygwin.com, where the page and the link are SSL.

> Is there any reason not to force this redirect and close this security hole?

If you care that much, you would use https.
If not, then I see no reason to bend to hysteric crowd.


-- 
With best regards,
Andrey Repin
Sunday, March 10, 2019 16:29:01

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple