incomplete/corrupted setup.exe

Dave Korn dave.korn.cygwin@googlemail.com
Tue Mar 16 11:32:00 GMT 2010


On 16/03/2010 09:53, Csaba Raduly wrote:
> On Tue, Mar 16, 2010 at 3:25 AM, Steven Monai wrote:
> [snip]
>> IT departments are becoming increasingly security conscious. That's
>> probably why the OP had trouble downloading setup.exe. It wasn't because
>> his IT was "brain-dead", but because there are legitimate security
>> concerns about downloading an unsigned exe over a non-SSL-authenticated
>> channel.
> 
> Unfortunately, many IT departments follow the "We must do something.
> This is something. Therefore we must do this." action plan :/
> Installing a webfilter falls into this category, IMO.

  Certainly, if the IT department's goal is to enforce secure signed
downloads, I fail to see how they can do this by pattern matching against file
names.

>> I suggest people inform themselves about the current state of art in
>> "man-in-the-middle" hijacking attacks, because the means by which
>> cygwin.com currently distributes setup.exe is vulnerable to a MITM
>> surreptitiously delivering a trojan setup.exe in place of the actual.
>> For this reason, I caution Cygwin users against downloading setup.exe
>> over unsafe networks (e.g. public wireless hotspots, hotel networks, etc.).
> 
> Or the Internet, in general :)
> 
> Perhaps the MD5 and/or SHA1 checksums for the current setup.exe should
> be published (and updated every time there's a new release) next to
> the download link (like Apache does, for example)

  Any theoretical MITM who can redirect your download of setup.exe to a
malicious version can just as easily also redirect your download of index.html
likewise to an edited version with fake checksums.

  It would be very nice to be able to serve it up over https, but it's not
just a matter of "Buy a cert for a couple of hundred bucks, edit httpd.conf
and away you go".  Sourceware.org is a busy and vital public server, so there
are plenty of issues to be considered, like doing some proper benchmarking and
making sure adding SSL doesn't significantly impact the availability and load
levels on the sever, possibly having to add more capacity, and then there's
all the accountability-and-control issues about who is responsible for the
certificate and how and where it is maintained.....

  It is however a very highly-desirable goal.  I'll try and find some round
tuits to see if we can't get some traction.

    cheers,
      DaveK


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple



More information about the Cygwin mailing list