Re: SSL not required for setup.exe download
- Date: Sun, 10 Mar 2019 08:16:18 -0600
- From: Brian Inglis <Brian.Inglis@xxxxxxx>
- Subject: Re: SSL not required for setup.exe download
On 2019-03-09 21:54, Archie Cobbs wrote:
> The FAQ states:
> The Cygwin website provides the setup program (setup-x86.exe or
> setup-x86_64.exe) using HTTPS (SSL/TLS).
> While this is true, it's not mandatory.
> If one happens to go to HTTP://www.cygwin.com instead of
> HTTPS://www.cygwin.com, then neither the page you are viewing (which
> contains the setup.exe download link), nor the setup.exe download link
> itself are secured via SSL.
> So someone who just types "cygwin.com" into the browser location bar
> and clicks on the setup.exe link is vulnerable to a MTM attack.
> It would be safer if http://www.cygwin.com always redirected you to
> https://www.cygwin.com, where the page and the link are SSL.
> Is there any reason not to force this redirect and close this security hole?
The whole sourceware.org site include cygwin.com uses HSTS which compliant
supporting clients can use to switch to communicating over HTTPS.
Clients which are not compliant or don't support HTTPS may still download the
programs and files.
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada
This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.
Problem reports: http://cygwin.com/problems.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple