On Thu, 26 Feb 2015 23:37:37 +0100, Corinna Vinschen <corinna-cyg...@cygwin.com> wrote: > On Feb 26 17:31, David A. Wheeler wrote: > > The Cygwin front web page ( https://www.cygwin.com/ ) says: > > "Install it by running setup-x86.exe (32-bit installation) or > > setup-x86_64.exe (64-bit installation)." > > > Did you notice that you're automatically redirected to https?
Yes, but the redirect looks like it's vulnerable to a man-in-the-middle attack. The front page http: hyperlink *disables* https on the request, because it explicitly asks for http: instead. If the browser sees an "http" link, it typically uses http to send the request (unless HSTS is used). In that case, a man-in-the-middle attacker can just intercept the http request and reply with a malicious executable. When that happens cygwin.org never gets a chance to redirect anything. It's possible it's okay (I haven't done a packet capture on it), but it looks really suspicious. Links to executables should explicitly say "https://";. It's a trivial change to the webpage, too. > > You might also want to enable "HTTP Strict Transport Security" (HSTS) > > on the Cygwin website. Corinna Vinschen: > That's not for us to say. We're user of the site, not admins. You can always ask the admins. Anyway, my key point is to make it possible to *start* and *stay* on https: when downloading the .exe file (to prevent tampering). --- David A. Wheeler -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
