SSL not required for setup.exe download
Archie Cobbs
archie.cobbs@gmail.com
Sun Mar 10 04:54:00 GMT 2019
The FAQ states:
The Cygwin website provides the setup program (setup-x86.exe or
setup-x86_64.exe) using HTTPS (SSL/TLS).
While this is true, it's not mandatory.
If one happens to go to HTTP://www.cygwin.com instead of
HTTPS://www.cygwin.com, then neither the page you are viewing (which
contains the setup.exe download link), nor the setup.exe download link
itself are secured via SSL.
So someone who just types "cygwin.com" into the browser location bar
and clicks on the setup.exe link is vulnerable to a MTM attack.
It would be safer if http://www.cygwin.com always redirected you to
https://www.cygwin.com, where the page and the link are SSL.
Is there any reason not to force this redirect and close this security hole?
-Archie
--
Archie L. Cobbs
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
More information about the Cygwin
mailing list