On 2019-03-11 07:43, Archie Cobbs wrote: > On Sun, Mar 10, 2019 at 10:51 PM Brian Inglis wrote: >>>>> Is there any reason not to force this redirect and close this security >>>>> hole? >> There are apparently reasons not to force this redirect as it can also cause >> a >> security hole. > That's really interesting. Can you provide more detail?
Search for HTTP HTTPS redirection SSL stripping MitM attack >>>> The whole sourceware.org site include cygwin.com uses HSTS which compliant >>>> supporting clients can use to switch to communicating over HTTPS. >>>> Clients which are not compliant or don't support HTTPS may still download >>>> the >>>> programs and files. >>> I don't see how HSTS solves the particular issue that I'm referring to. >> HSTS redirects requests from port 80 to 443 (HTTPS). > Not for me. Well, actually I'm getting inconsistent results... > On Mac OS X, neither Firefox, Chrome nor Safari will redirect to SSL. > On an old Windows 7 system, neither IE 8 (no surprise there) or Chrome > redirects. > However, with Chrome, it does not redirect at first, but once I've > manually entered https://www.cygwin.com it seems to "realize" that a > secure site exists, and after that it starts redirecting to SSL. > I can revert that behavior by clearing the cache. > So it seems in the case of Chrome, it has to be "taught" about the > existence of the secure site... which of course takes us right back to > the original problem. Some sites, proxies, and CDNs respond with HTTP/1.0 302 Found and redirects to HTTPS:443 followed by the HTTP header. -- Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada This email may be disturbing to some readers as it contains too much technical detail. Reader discretion is advised. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
