This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Re: SSL not required for setup.exe download
On 3/11/19, Archie Cobbs wrote:
> On Mon, Mar 11, 2019 at 2:43 PM Brian Inglis wrote:
>> On 2019-03-11 07:43, Archie Cobbs wrote:
>> > On Sun, Mar 10, 2019 at 10:51 PM Brian Inglis wrote:
>> >>>>> Is there any reason not to force this redirect and close this
>> >>>>> security hole?
>> >> There are apparently reasons not to force this redirect as it can also
>> >> cause a
>> >> security hole.
>> > That's really interesting. Can you provide more detail?
>>
>> Search for HTTP HTTPS redirection SSL stripping MitM attack
>
> I did, but I only get results relating to the "stripping" attack,
> which downgrades from HTTPS to HTTP.
>
> Obviously that would cause a reduction in security... But what I'm
> suggesting is the opposite: redirecting from HTTP to HTTPS.
>
> How could that reduce security?
part of "security" is "availability". If whatever doing the download
isn't able to do TLS then redirecting to https://cygwin.com makes
cygwin.com unavailable.
> (sigh)
>
> I must say I'm surprised so many people think it's a good idea to
> leave cygwin open to trivial MITM attacks, which is the current state
> of affairs.
But it's only open to a trivial MITM attack if the user types in
"http://cygwin.com"; - correct? Why isn't the fix "don't do that"?
> This is my opinion only of course, but if cygwin wants to have any
> security credibility, it should simply disallow non-SSL downloads of
> setup.exe. Otherwise the chain of authenticity is broken forever.
They sign setup.exe, so "the chain of authenticity" is there regardless.
https://cygwin.com/setup-x86_64.exe
https://cygwin.com/setup-x86_64.exe.sig
Regards,
Lee
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple