Re: SSL not required for setup.exe download
On 2019-03-12 07:47, Archie Cobbs wrote:
> On Mon, Mar 11, 2019 at 6:00 PM Lee wrote:
>>> I must say I'm surprised so many people think it's a good idea to
>>> leave cygwin open to trivial MITM attacks, which is the current state
>>> of affairs.
>> But it's only open to a trivial MITM attack if the user types in
>> "http://cygwin.com" - correct? Why isn't the fix "don't do that"?
> Because security that rests on assuming humans will always do the
> correct thing has proven to be unreliable (understatement).
>>> This is my opinion only of course, but if cygwin wants to have any
>>> security credibility, it should simply disallow non-SSL downloads of
>>> setup.exe. Otherwise the chain of authenticity is broken forever.
>> They sign setup.exe, so "the chain of authenticity" is there regardless.
> I don't see your point.
> Downloading the sig file over HTTP is useless... any attacker going to
> the trouble to launch a MITM attack for setup.exe will certainly also
> do it for the sig file as well.
> OTOH, if you download the file over HTTPS.. then your client supports
> SSL. Which is exactly what I'm saying should be mandatory.
Forcing TLS means blocking anyone who for any reason can not use TLS: this is a
performance and support burden compared to allowing both HTTP:80 and HTTPS:443.
Same reasons most ISPs/ASes/orgs don't filter or validate packet source IP
addresses per BCP 38 which would stop most abuses!
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada
This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.
Problem reports: http://cygwin.com/problems.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple