Web lists-archives.com

Re: SSL not required for setup.exe download




On 2019-03-12 07:47, Archie Cobbs wrote:
> On Mon, Mar 11, 2019 at 6:00 PM Lee wrote:
>>> I must say I'm surprised so many people think it's a good idea to
>>> leave cygwin open to trivial MITM attacks, which is the current state
>>> of affairs.
>> But it's only open to a trivial MITM attack if the user types in
>> "http://cygwin.com"; - correct?  Why isn't the fix "don't do that"?
> Because security that rests on assuming humans will always do the
> correct thing has proven to be unreliable (understatement).
>>> This is my opinion only of course, but if cygwin wants to have any
>>> security credibility, it should simply disallow non-SSL downloads of
>>> setup.exe. Otherwise the chain of authenticity is broken forever.
>> They sign setup.exe, so "the chain of authenticity" is there regardless.
>>   https://cygwin.com/setup-x86_64.exe
>>   https://cygwin.com/setup-x86_64.exe.sig
> I don't see your point.
> Downloading the sig file over HTTP is useless... any attacker going to
> the trouble to launch a MITM attack for setup.exe will certainly also
> do it for the sig file as well.
> OTOH, if you download the file over HTTPS..  then your client supports
> SSL. Which is exactly what I'm saying should be mandatory.

Forcing TLS means blocking anyone who for any reason can not use TLS: this is a
performance and support burden compared to allowing both HTTP:80 and HTTPS:443.
Same reasons most ISPs/ASes/orgs don't filter or validate packet source IP
addresses per BCP 38 which would stop most abuses!

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple