Re: SSL not required for setup.exe download
- Date: Sun, 10 Mar 2019 16:29:57 +0300
- From: Andrey Repin <anrdaemon@xxxxxxxxx>
- Subject: Re: SSL not required for setup.exe download
Greetings, Archie Cobbs!
> The FAQ states:
> The Cygwin website provides the setup program (setup-x86.exe or
> setup-x86_64.exe) using HTTPS (SSL/TLS).
> While this is true, it's not mandatory.
> If one happens to go to HTTP://www.cygwin.com instead of
> HTTPS://www.cygwin.com, then neither the page you are viewing (which
> contains the setup.exe download link), nor the setup.exe download link
> itself are secured via SSL.
> So someone who just types "cygwin.com" into the browser location bar
> and clicks on the setup.exe link is vulnerable to a MTM attack.
> It would be safer if http://www.cygwin.com always redirected you to
> https://www.cygwin.com, where the page and the link are SSL.
> Is there any reason not to force this redirect and close this security hole?
If you care that much, you would use https.
If not, then I see no reason to bend to hysteric crowd.
With best regards,
Sunday, March 10, 2019 16:29:01
Sorry for my terrible english...
Problem reports: http://cygwin.com/problems.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple