Re: SSL not required for setup.exe download

2019-03-12 Thread Archie Cobbs
On Tue, Mar 12, 2019 at 9:32 AM Brian Inglis wrote: > > OTOH, if you download the file over HTTPS.. then your client supports > > SSL. Which is exactly what I'm saying should be mandatory. > > Forcing TLS means blocking anyone who for any reason can not use TLS: this is > a > performance and supp

Re: SSL not required for setup.exe download

2019-03-12 Thread Archie Cobbs
On Mon, Mar 11, 2019 at 6:00 PM Lee wrote: > > I must say I'm surprised so many people think it's a good idea to > > leave cygwin open to trivial MITM attacks, which is the current state > > of affairs. > > But it's only open to a trivial MITM attack if the user types in > "http://cygwin.com"; - co

Re: SSL not required for setup.exe download

2019-03-11 Thread Archie Cobbs
On Mon, Mar 11, 2019 at 2:43 PM Brian Inglis wrote: > On 2019-03-11 07:43, Archie Cobbs wrote: > > On Sun, Mar 10, 2019 at 10:51 PM Brian Inglis wrote: > >>>>> Is there any reason not to force this redirect and close this security > >>>>> hole? > &

Re: SSL not required for setup.exe download

2019-03-11 Thread Archie Cobbs
On Sun, Mar 10, 2019 at 10:51 PM Brian Inglis wrote: > >>> Is there any reason not to force this redirect and close this security > >>> hole? > > There are apparently reasons not to force this redirect as it can also cause a > security hole. That's really interesting. Can you provide more detail

Re: SSL not required for setup.exe download

2019-03-10 Thread Archie Cobbs
On Sun, Mar 10, 2019 at 6:20 PM L A Walsh wrote: > >> It would be safer if http://www.cygwin.com always redirected you to > >> https://www.cygwin.com, where the page and the link are SSL. > >> Is there any reason not to force this redirect and close this security > >> hole? > > I think the po

Re: SSL not required for setup.exe download

2019-03-10 Thread Archie Cobbs
Hi Brian, On Sun, Mar 10, 2019 at 9:16 AM Brian Inglis wrote: > > Is there any reason not to force this redirect and close this security hole? > > The whole sourceware.org site include cygwin.com uses HSTS which compliant > supporting clients can use to switch to communicating over HTTPS. > Clien

Re: SSL not required for setup.exe download

2019-03-10 Thread Archie Cobbs
Hi Andrey, On Sun, Mar 10, 2019 at 8:35 AM Andrey Repin wrote: > > Is there any reason not to force this redirect and close this security hole? > > If you care that much, you would use https. > If not, then I see no reason to bend to hysteric crowd. You are correct: careful, diligent, knowledgea

SSL not required for setup.exe download

2019-03-09 Thread Archie Cobbs
The FAQ states: The Cygwin website provides the setup program (setup-x86.exe or setup-x86_64.exe) using HTTPS (SSL/TLS). While this is true, it's not mandatory. If one happens to go to HTTP://www.cygwin.com instead of HTTPS://www.cygwin.com, then neither the page you are viewing (which conta