Web lists-archives.com

Re: SSL not required for setup.exe download




On 3/11/19, Archie Cobbs wrote:
> On Mon, Mar 11, 2019 at 2:43 PM Brian Inglis wrote:
>> On 2019-03-11 07:43, Archie Cobbs wrote:
>> > On Sun, Mar 10, 2019 at 10:51 PM Brian Inglis wrote:
>> >>>>> Is there any reason not to force this redirect and close this
>> >>>>> security hole?
>> >> There are apparently reasons not to force this redirect as it can also
>> >> cause a
>> >> security hole.
>> > That's really interesting. Can you provide more detail?
>>
>> Search for HTTP HTTPS redirection SSL stripping MitM attack
>
> I did, but I only get results relating to the "stripping" attack,
> which downgrades from HTTPS to HTTP.
>
> Obviously that would cause a reduction in security... But what I'm
> suggesting is the opposite: redirecting from HTTP to HTTPS.
>
> How could that reduce security?

part of "security" is "availability".  If whatever doing the download
isn't able to do TLS then redirecting to https://cygwin.com makes
cygwin.com unavailable.

> (sigh)
>
> I must say I'm surprised so many people think it's a good idea to
> leave cygwin open to trivial MITM attacks, which is the current state
> of affairs.

But it's only open to a trivial MITM attack if the user types in
"http://cygwin.com"; - correct?  Why isn't the fix "don't do that"?

> This is my opinion only of course, but if cygwin wants to have any
> security credibility, it should simply disallow non-SSL downloads of
> setup.exe. Otherwise the chain of authenticity is broken forever.

They sign setup.exe, so "the chain of authenticity" is there regardless.
  https://cygwin.com/setup-x86_64.exe
  https://cygwin.com/setup-x86_64.exe.sig

Regards,
Lee

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple