This is the mail archive of the
mailing list for the Cygwin project.
Re: SSL not required for setup.exe download
- From: Andrey Repin <anrdaemon at yandex dot ru>
- To: Archie Cobbs <archie dot cobbs at gmail dot com>, cygwin at cygwin dot com
- Date: Sun, 10 Mar 2019 16:29:57 +0300
- Subject: Re: SSL not required for setup.exe download
- References: <CANSoFxtW0Jb1M5KfkFGGOxec_D8ysyYCrnk_PXWjHobLDXZauQ@mail.gmail.com>
- Reply-to: cygwin at cygwin dot com
Greetings, Archie Cobbs!
> The FAQ states:
> The Cygwin website provides the setup program (setup-x86.exe or
> setup-x86_64.exe) using HTTPS (SSL/TLS).
> While this is true, it's not mandatory.
> If one happens to go to HTTP://www.cygwin.com instead of
> HTTPS://www.cygwin.com, then neither the page you are viewing (which
> contains the setup.exe download link), nor the setup.exe download link
> itself are secured via SSL.
> So someone who just types "cygwin.com" into the browser location bar
> and clicks on the setup.exe link is vulnerable to a MTM attack.
> It would be safer if http://www.cygwin.com always redirected you to
> https://www.cygwin.com, where the page and the link are SSL.
> Is there any reason not to force this redirect and close this security hole?
If you care that much, you would use https.
If not, then I see no reason to bend to hysteric crowd.
With best regards,
Sunday, March 10, 2019 16:29:01
Sorry for my terrible english...
Problem reports: http://cygwin.com/problems.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple