Web lists-archives.com

Re: SSL not required for setup.exe download




On 3/11/19, Andrey Repin  wrote:
> Greetings, Archie Cobbs!
>
>> I must say I'm surprised so many people think it's a good idea to
>> leave cygwin open to trivial MITM attacks, which is the current state
>> of affairs.
>
>> This is my opinion only of course, but if cygwin wants to have any
>> security credibility, it should simply disallow non-SSL downloads of
>> setup.exe. Otherwise the chain of authenticity is broken forever.
>
> All the SSL stuff is build on idea of implicit unlimited trust.

I agree, the whole certificate authority bit seems to .. over-promise.
On the other hand, it does also seems to "raise the bar" making it
much more difficult to snoop or alter data in transit.

> Which is way worse in my opinion, than any theoretical MITM attack, which
> is easily mitigated with proper validation of your downloads.

Serious question - exactly how does one do "proper validation of your
downloads"?

For example, I don't have the current version of 7-zip
  https://www.7-zip.org/
has a download link, but I don't see anything for a .sig, checksum or anything.
  https://sourceforge.net/projects/sevenzip/files/7-Zip/19.00/
isn't any better.
It seems to me that the best I can do is make sure I do the download
via an https:// link

> It gives you false sense of security. What is worse, everybody is
> attempting
> to reassure this false sense on every possible occasion.

I don't think it's a false sense of security.  https:// isn't "safe"
but it is _safer_ than http://

Regards,
Lee

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple