This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Re: SSL not required for setup.exe download
On 2019-03-10 10:40, Archie Cobbs wrote:
> On Sun, Mar 10, 2019 at 9:16 AM Brian Inglis wrote:
>>> Is there any reason not to force this redirect and close this security hole?
There are apparently reasons not to force this redirect as it can also cause a
security hole.
>> The whole sourceware.org site include cygwin.com uses HSTS which compliant
>> supporting clients can use to switch to communicating over HTTPS.
>> Clients which are not compliant or don't support HTTPS may still download the
>> programs and files.
>
> I don't see how HSTS solves the particular issue that I'm referring to.
HSTS redirects requests from port 80 to 443 (HTTPS).
> HSTS only applies to connections that are *already* using HTTPS.
> Quoting Wikipedia:
>
> HSTS mechanism overview
>
> A server implements an HSTS policy by supplying a header over an
> HTTPS connection (HSTS headers over HTTP are ignored).
The HSTS Mechanism is a small part of the HSTS implementation:
https://tools.ietf.org/html/rfc6797
and the wiki article may not be a good description.
> In any case, the problem I'm talking about is trivial to verify. Just
> start up Chrome or Firefox and enter http://www.cygwin.com. You can
> then confirm that (a) the page you are looking at has an http:// URL,
> and (b) the link to setup.exe also has an http:// URL. Therefore,
> there is no real security in this scenario.
I only get to see https://www.cygwin.com/ YMMV
--
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada
This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple