Web lists-archives.com

Re: SSL not required for setup.exe download




On 2019-03-10 10:40, Archie Cobbs wrote:
> On Sun, Mar 10, 2019 at 9:16 AM Brian Inglis wrote:
>>> Is there any reason not to force this redirect and close this security hole?

There are apparently reasons not to force this redirect as it can also cause a
security hole.

>> The whole sourceware.org site include cygwin.com uses HSTS which compliant
>> supporting clients can use to switch to communicating over HTTPS.
>> Clients which are not compliant or don't support HTTPS may still download the
>> programs and files.
> 
> I don't see how HSTS solves the particular issue that I'm referring to.

HSTS redirects requests from port 80 to 443 (HTTPS).

> HSTS only applies to connections that are *already* using HTTPS.
> Quoting Wikipedia:
> 
>     HSTS mechanism overview
> 
>     A server implements an HSTS policy by supplying a header over an
> HTTPS connection (HSTS headers over HTTP are ignored).

The HSTS Mechanism is a small part of the HSTS implementation:

	https://tools.ietf.org/html/rfc6797

and the wiki article may not be a good description.

> In any case, the problem I'm talking about is trivial to verify. Just
> start up Chrome or Firefox and enter http://www.cygwin.com. You can
> then confirm that (a) the page you are looking at has an http:// URL,
> and (b) the link to setup.exe also has an http:// URL. Therefore,
> there is no real security in this scenario.

I only get to see https://www.cygwin.com/ YMMV

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple