This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Re: Cygwin website uses http: (not https:) for .exe downloads, allowing man-in-the-middle attack
- From: Yaakov Selkowitz <yselkowitz at cygwin dot com>
- To: cygwin at cygwin dot com
- Date: Fri, 27 Feb 2015 02:50:13 -0600
- Subject: Re: Cygwin website uses http: (not https:) for .exe downloads, allowing man-in-the-middle attack
- Authentication-results: sourceware.org; auth=none
- References: <E1YR6y2-0008G9-Gr at rmm6prod02 dot runbox dot com>
On Thu, 2015-02-26 at 17:31 -0500, David A. Wheeler wrote:
> The Cygwin front web page ( https://www.cygwin.com/ ) says:
> "Install it by running setup-x86.exe (32-bit installation) or
> setup-x86_64.exe (64-bit installation)."
>
> However, both of the links to those .exe executables explicitly
> use "http://", and not "https://", even when you go to the https
> version of the Cygwin website.
The links are now relative, so this should no longer be an issue.
Thanks for reporting,
Yaakov
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple