This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: SSL not required for setup.exe download

From: Lee <ler762 at gmail dot com>
To: cygwin at cygwin dot com
Date: Tue, 12 Mar 2019 17:14:51 -0400
Subject: Re: SSL not required for setup.exe download
References: <CANSoFxtW0Jb1M5KfkFGGOxec_D8ysyYCrnk_PXWjHobLDXZauQ@mail.gmail.com> <1a840c2e-55ac-0ab4-66c4-a1f6a2c4f81a@Shaw.ca> <CANSoFxtA0vnF1adx4rwyjuMasrVAOGb8hT_Uct-wSdcazj252w@mail.gmail.com> <41f12842-ea43-ff63-a660-26ee3b497c63@SystematicSw.ab.ca> <CANSoFxtLzGgcOhrsu4h0eXXnpezB6v17cGwOrqy6SjSvJ__gLA@mail.gmail.com> <1b570593-0ec7-0890-26ef-7e7468534f47@SystematicSw.ab.ca> <CANSoFxsq+5OfRH7RF3QdpMSJU-4JAKSCZM-rUUysP5Y3myR0+Q@mail.gmail.com> <1406950005.20190312031618@yandex.ru> <CAD8GWsv=R+G5P9_fNvMvC1+txqPELr=5s3R38jiPyCUj0AcTFg@mail.gmail.com> <1715197846.20190312233340@yandex.ru>

On 3/12/19, Andrey Repin <anrdaemon@yandex.ru> wrote:
> Greetings, Lee!
>
>>> Which is way worse in my opinion, than any theoretical MITM attack,
>>> which
>>> is easily mitigated with proper validation of your downloads.
>
>> Serious question - exactly how does one do "proper validation of your
>> downloads"?
>
> Use PGP signature to validate the installer. Use separate channel to obtain
> trust records for PGP key used in signing.

Yes, in the ideal world.  But at least in my experience, most windows
software doesn't come with a pgp signature & using a separate channel
to get the pgp key isn't so easy.

Just out of curiosity.. has the cygwin public key been posted in
multiple places or sent to the mailing list?  Getting the exe, sig &
key from https://cygwin.com/install.html seems not the best security.

> And not blindly trust "supposedly-secure" connections.

I don't.  But I trust TLS connections a lot more than I trust
clear-text connections.

Regards,
Lee

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Follow-Ups:
- Re: SSL not required for setup.exe download
  - From: Andrey Repin

References:
- SSL not required for setup.exe download
  - From: Archie Cobbs
- Re: SSL not required for setup.exe download
  - From: Brian Inglis
- Re: SSL not required for setup.exe download
  - From: Archie Cobbs
- Re: SSL not required for setup.exe download
  - From: Brian Inglis
- Re: SSL not required for setup.exe download
  - From: Archie Cobbs
- Re: SSL not required for setup.exe download
  - From: Brian Inglis
- Re: SSL not required for setup.exe download
  - From: Archie Cobbs
- Re: SSL not required for setup.exe download
  - From: Andrey Repin
- Re: SSL not required for setup.exe download
  - From: Lee
- Re: SSL not required for setup.exe download
  - From: Andrey Repin

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]