This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Cygwin website uses http: (not https:) for .exe downloads, allowing man-in-the-middle attack


On Feb 26 17:31, David A. Wheeler wrote:
> The Cygwin front web page ( https://www.cygwin.com/ ) says:
> "Install it by running setup-x86.exe (32-bit installation) or
> setup-x86_64.exe (64-bit installation)."
> 
> However, both of the links to those .exe executables explicitly use
> "http://";, and not "https://";, even when you go to the https version
> of the Cygwin website.  This use of http: enables a man-in-the-middle
> attack on anyone trying to download the Cygwin installer.  In
> particular, a man-in-the-middle could maliciously modify the .exe, and
> there are many programs that can automatically insert malicious code
> into a Windows .exe file.

Did you notice that you're automatically redirected to https?

> Please fix those links to use "https:", and not "http:".
> 
> You might also want to enable "HTTP Strict Transport Security" (HSTS)
> on the Cygwin website.

That's not for us to say.  We're user of the site, not admins.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

Attachment: pgpT5OS14XGLL.pgp
Description: PGP signature


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]