SSL not required for setup.exe download
Andrey Repin
anrdaemon@yandex.ru
Sun Mar 10 13:35:00 GMT 2019
Greetings, Archie Cobbs!
> The FAQ states:
> The Cygwin website provides the setup program (setup-x86.exe or
> setup-x86_64.exe) using HTTPS (SSL/TLS).
> While this is true, it's not mandatory.
> If one happens to go to HTTP://www.cygwin.com instead of
> HTTPS://www.cygwin.com, then neither the page you are viewing (which
> contains the setup.exe download link), nor the setup.exe download link
> itself are secured via SSL.
> So someone who just types "cygwin.com" into the browser location bar
> and clicks on the setup.exe link is vulnerable to a MTM attack.
> It would be safer if http://www.cygwin.com always redirected you to
> https://www.cygwin.com, where the page and the link are SSL.
> Is there any reason not to force this redirect and close this security hole?
If you care that much, you would use https.
If not, then I see no reason to bend to hysteric crowd.
--
With best regards,
Andrey Repin
Sunday, March 10, 2019 16:29:01
Sorry for my terrible english...
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
More information about the Cygwin
mailing list