On Feb 26 17:31, David A. Wheeler wrote: > The Cygwin front web page ( https://www.cygwin.com/ ) says: > "Install it by running setup-x86.exe (32-bit installation) or > setup-x86_64.exe (64-bit installation)." > > However, both of the links to those .exe executables explicitly use > "http://";, and not "https://";, even when you go to the https version > of the Cygwin website. This use of http: enables a man-in-the-middle > attack on anyone trying to download the Cygwin installer. In > particular, a man-in-the-middle could maliciously modify the .exe, and > there are many programs that can automatically insert malicious code > into a Windows .exe file.
Did you notice that you're automatically redirected to https? > Please fix those links to use "https:", and not "http:". > > You might also want to enable "HTTP Strict Transport Security" (HSTS) > on the Cygwin website. That's not for us to say. We're user of the site, not admins. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat
pgp2uEgVcWVMM.pgp
Description: PGP signature
