Re: SSL not required for setup.exe download
- Date: Sun, 10 Mar 2019 11:40:28 -0500
- From: Archie Cobbs <archie.cobbs@xxxxxxxxx>
- Subject: Re: SSL not required for setup.exe download
On Sun, Mar 10, 2019 at 9:16 AM Brian Inglis <Brian.Inglis@xxxxxxx> wrote:
> > Is there any reason not to force this redirect and close this security hole?
> The whole sourceware.org site include cygwin.com uses HSTS which compliant
> supporting clients can use to switch to communicating over HTTPS.
> Clients which are not compliant or don't support HTTPS may still download the
> programs and files.
I don't see how HSTS solves the particular issue that I'm referring to.
HSTS only applies to connections that are *already* using HTTPS.
HSTS mechanism overview
A server implements an HSTS policy by supplying a header over an
HTTPS connection (HSTS headers over HTTP are ignored).
In any case, the problem I'm talking about is trivial to verify. Just
start up Chrome or Firefox and enter http://www.cygwin.com. You can
then confirm that (a) the page you are looking at has an http:// URL,
and (b) the link to setup.exe also has an http:// URL. Therefore,
there is no real security in this scenario.
Archie L. Cobbs
Problem reports: http://cygwin.com/problems.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple