Web lists-archives.com

Re: SSL not required for setup.exe download

On 3/10/2019 7:16 AM, Brian Inglis wrote:
> On 2019-03-09 21:54, Archie Cobbs wrote:
>> It would be safer if http://www.cygwin.com always redirected you to
>> https://www.cygwin.com, where the page and the link are SSL.
>> Is there any reason not to force this redirect and close this security hole?
    I think the point is that if you redirect and a client can't
speak https, what happens?  Wouldn't they get an error that would
prevent them from using the site?

    Google has a vested interest in getting people locked in on
https -- makes it much harder for people to use proxies and lower
their requests to google and for them to block some requests.  They get
to control what you get -- not you.

> The whole sourceware.org site include cygwin.com uses HSTS which compliant
> supporting clients can use to switch to communicating over HTTPS.
> Clients which are not compliant or don't support HTTPS may still download the
> programs and files.

Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple