On 3/12/19, Archie Cobbs wrote: > On Mon, Mar 11, 2019 at 6:00 PM Lee wrote: >> > I must say I'm surprised so many people think it's a good idea to >> > leave cygwin open to trivial MITM attacks, which is the current state >> > of affairs. >> >> But it's only open to a trivial MITM attack if the user types in >> "http://cygwin.com"; - correct? Why isn't the fix "don't do that"? > > Because security that rests on assuming humans will always do the > correct thing has proven to be unreliable (understatement). > >> > This is my opinion only of course, but if cygwin wants to have any >> > security credibility, it should simply disallow non-SSL downloads of >> > setup.exe. Otherwise the chain of authenticity is broken forever. >> >> They sign setup.exe, so "the chain of authenticity" is there regardless. >> https://cygwin.com/setup-x86_64.exe >> https://cygwin.com/setup-x86_64.exe.sig > > I don't see your point. > > Downloading the sig file over HTTP is useless... any attacker going to > the trouble to launch a MITM attack for setup.exe will certainly also > do it for the sig file as well.
Have you ever used gpg? It tells you who signed the file: $ gpg --verify cygwinSetup-x86_64.exe.sig cygwinSetup-x86_64.exe gpg: Signature made Sun, Oct 21, 2018 12:02:34 PM EDT gpg: using DSA key 0xA9A262FF676041BA gpg: Good signature from "Cygwin <cygwin@cygwin.com>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5 9232 A9A2 62FF 6760 41BA So even if someone was able to hijack cygwin.com, the files I downloaded won't verify. and yes.. gpg key usage tends to devolve to 'trust on first use' but even so, it still seems better than most alternatives. Regards, Lee -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
