Re: SSL should not be required for open source downloading
- Date: Mon, 11 Mar 2019 13:24:53 -0700
- From: L A Walsh <cygwin@xxxxxxxxx>
- Subject: Re: SSL should not be required for open source downloading
On 3/11/2019 6:43 AM, Archie Cobbs wrote:
> On Sun, Mar 10, 2019 at 10:51 PM Brian Inglis
> <Brian.Inglis@xxxxxxxxxxxxxxxxxx> wrote:
>>>>> Is there any reason not to force this redirect and close this security hole?
>> There are apparently reasons not to force this redirect as it can also cause a
>> security hole.
> That's really interesting. Can you provide more detail?
I know that was directed at Brian, but...
Because if the assumption is that the site uses https or will redirect it,
then to start the session the client would send startTLS parameters.
If it so happens that part of the site, does not use https, then
an attacker could grab those initial parameters. Somehow providing
"opensource" binaries doesn't seem like the type of thing that needs
or should even have encryption.
>>>> The whole sourceware.org site include cygwin.com uses HSTS which compliant supporting clients can use to switch to communicating over HTTPS. Clients which are not compliant or don't support HTTPS may still download the programs and files.
>>> I don't see how HSTS solves the particular issue that I'm referring to.
>> HSTS redirects requests from port 80 to 443 (HTTPS).
> Not for me. Well, actually I'm getting inconsistent results...
> On Mac OS X, neither Firefox, Chrome nor Safari will redirect to SSL.
FWIW, apple customizes their library behaviors and doesn't always follow the
> On an old Windows 7 system, neither IE 8 (no surprise there) or Chrome
HSTS is only set from HTTPS. If you only access the site in cleartext,
that is what you will get. If you don't understand HSTS, perhaps reading
and understanding the document would be good before promoting it -- just
Problem reports: http://cygwin.com/problems.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple