Web lists-archives.com

Re: SSL not required for setup.exe download




On Sun, Mar 10, 2019 at 10:51 PM Brian Inglis
<Brian.Inglis@xxxxxxxxxxxxxxxxxx> wrote:
> >>> Is there any reason not to force this redirect and close this security hole?
>
> There are apparently reasons not to force this redirect as it can also cause a
> security hole.

That's really interesting. Can you provide more detail?

> >> The whole sourceware.org site include cygwin.com uses HSTS which compliant
> >> supporting clients can use to switch to communicating over HTTPS.
> >> Clients which are not compliant or don't support HTTPS may still download the
> >> programs and files.
> >
> > I don't see how HSTS solves the particular issue that I'm referring to.
>
> HSTS redirects requests from port 80 to 443 (HTTPS).

Not for me. Well, actually I'm getting inconsistent results...

On Mac OS X, neither Firefox, Chrome nor Safari will redirect to SSL.

On an old Windows 7 system, neither IE 8 (no surprise there) or Chrome
redirects.

However, with Chrome, it does not redirect at first, but once I've
manually entered https://www.cygwin.com it seems to "realize" that a
secure site exists, and after that it starts redirecting to SSL.

I can revert that behavior by clearing the cache.

So it seems in the case of Chrome, it has to be "taught" about the
existence of the secure site... which of course takes us right back to
the original problem.

-AC

-- 
Archie L. Cobbs

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple