Re: SSL not required for setup.exe download
- Date: Sun, 10 Mar 2019 16:20:23 -0700
- From: L A Walsh <cygwin@xxxxxxxxx>
- Subject: Re: SSL not required for setup.exe download
On 3/10/2019 7:16 AM, Brian Inglis wrote:
> On 2019-03-09 21:54, Archie Cobbs wrote:
>> It would be safer if http://www.cygwin.com always redirected you to
>> https://www.cygwin.com, where the page and the link are SSL.
>> Is there any reason not to force this redirect and close this security hole?
I think the point is that if you redirect and a client can't
speak https, what happens? Wouldn't they get an error that would
prevent them from using the site?
Google has a vested interest in getting people locked in on
https -- makes it much harder for people to use proxies and lower
their requests to google and for them to block some requests. They get
to control what you get -- not you.
> The whole sourceware.org site include cygwin.com uses HSTS which compliant
> supporting clients can use to switch to communicating over HTTPS.
> Clients which are not compliant or don't support HTTPS may still download the
> programs and files.
Problem reports: http://cygwin.com/problems.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple