On 3/11/19, Archie Cobbs wrote: > On Mon, Mar 11, 2019 at 2:43 PM Brian Inglis wrote: >> On 2019-03-11 07:43, Archie Cobbs wrote: >> > On Sun, Mar 10, 2019 at 10:51 PM Brian Inglis wrote: >> >>>>> Is there any reason not to force this redirect and close this >> >>>>> security hole? >> >> There are apparently reasons not to force this redirect as it can also >> >> cause a >> >> security hole. >> > That's really interesting. Can you provide more detail? >> >> Search for HTTP HTTPS redirection SSL stripping MitM attack > > I did, but I only get results relating to the "stripping" attack, > which downgrades from HTTPS to HTTP. > > Obviously that would cause a reduction in security... But what I'm > suggesting is the opposite: redirecting from HTTP to HTTPS. > > How could that reduce security?
part of "security" is "availability". If whatever doing the download isn't able to do TLS then redirecting to https://cygwin.com makes cygwin.com unavailable. > (sigh) > > I must say I'm surprised so many people think it's a good idea to > leave cygwin open to trivial MITM attacks, which is the current state > of affairs. But it's only open to a trivial MITM attack if the user types in "http://cygwin.com" - correct? Why isn't the fix "don't do that"? > This is my opinion only of course, but if cygwin wants to have any > security credibility, it should simply disallow non-SSL downloads of > setup.exe. Otherwise the chain of authenticity is broken forever. They sign setup.exe, so "the chain of authenticity" is there regardless. https://cygwin.com/setup-x86_64.exe https://cygwin.com/setup-x86_64.exe.sig Regards, Lee -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple