Greetings, Archie Cobbs! > The FAQ states:
> The Cygwin website provides the setup program (setup-x86.exe or > setup-x86_64.exe) using HTTPS (SSL/TLS). > While this is true, it's not mandatory. > If one happens to go to HTTP://www.cygwin.com instead of > HTTPS://www.cygwin.com, then neither the page you are viewing (which > contains the setup.exe download link), nor the setup.exe download link > itself are secured via SSL. > So someone who just types "cygwin.com" into the browser location bar > and clicks on the setup.exe link is vulnerable to a MTM attack. > It would be safer if http://www.cygwin.com always redirected you to > https://www.cygwin.com, where the page and the link are SSL. > Is there any reason not to force this redirect and close this security hole? If you care that much, you would use https. If not, then I see no reason to bend to hysteric crowd. -- With best regards, Andrey Repin Sunday, March 10, 2019 16:29:01 Sorry for my terrible english... -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
