This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Cygwin website uses http: (not https:) for .exe downloads, allowing man-in-the-middle attack
- From: "David A. Wheeler" <dwheeler at dwheeler dot com>
- To: "cygwin" <cygwin at cygwin dot com>
- Date: Thu, 26 Feb 2015 17:31:38 -0500 (EST)
- Subject: Cygwin website uses http: (not https:) for .exe downloads, allowing man-in-the-middle attack
- Authentication-results: sourceware.org; auth=none
- Reply-to: dwheeler at dwheeler dot com
The Cygwin front web page ( https://www.cygwin.com/ ) says:
"Install it by running setup-x86.exe (32-bit installation) or setup-x86_64.exe (64-bit installation)."
However, both of the links to those .exe executables explicitly use "http://";, and not "https://";, even when you go to the https version of the Cygwin website. This use of http: enables a man-in-the-middle attack on anyone trying to download the Cygwin installer. In particular, a man-in-the-middle could maliciously modify the .exe, and there are many programs that can automatically insert malicious code into a Windows .exe file.
Please fix those links to use "https:", and not "http:".
You might also want to enable "HTTP Strict Transport Security" (HSTS) on the Cygwin website.
--- David A. Wheeler
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple