Web lists-archives.com

Re: SSL not required for setup.exe download




On 3/12/19, Archie Cobbs  wrote:
> On Mon, Mar 11, 2019 at 6:00 PM Lee wrote:
>> > I must say I'm surprised so many people think it's a good idea to
>> > leave cygwin open to trivial MITM attacks, which is the current state
>> > of affairs.
>>
>> But it's only open to a trivial MITM attack if the user types in
>> "http://cygwin.com"; - correct?  Why isn't the fix "don't do that"?
>
> Because security that rests on assuming humans will always do the
> correct thing has proven to be unreliable (understatement).
>
>> > This is my opinion only of course, but if cygwin wants to have any
>> > security credibility, it should simply disallow non-SSL downloads of
>> > setup.exe. Otherwise the chain of authenticity is broken forever.
>>
>> They sign setup.exe, so "the chain of authenticity" is there regardless.
>>   https://cygwin.com/setup-x86_64.exe
>>   https://cygwin.com/setup-x86_64.exe.sig
>
> I don't see your point.
>
> Downloading the sig file over HTTP is useless... any attacker going to
> the trouble to launch a MITM attack for setup.exe will certainly also
> do it for the sig file as well.

Have you ever used gpg?  It tells you who signed the file:
$ gpg --verify cygwinSetup-x86_64.exe.sig cygwinSetup-x86_64.exe
gpg: Signature made Sun, Oct 21, 2018 12:02:34 PM EDT
gpg:                using DSA key 0xA9A262FF676041BA
gpg: Good signature from "Cygwin <cygwin@xxxxxxxxxx>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5  9232 A9A2 62FF 6760 41BA

So even if someone was able to hijack cygwin.com, the files I
downloaded won't verify.

and yes.. gpg key usage tends to devolve to 'trust on first use' but
even so, it still seems better than most alternatives.

Regards,
Lee

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple