This is the mail archive of the
mailing list for the Cygwin project.
Re: Cygwin website uses http: (not https:) for .exe downloads, allowing man-in-the-middle attack
- From: "David A. Wheeler" <dwheeler at dwheeler dot com>
- To: "cygwin" <cygwin at cygwin dot com>
- Date: Thu, 26 Feb 2015 18:23:59 -0500 (EST)
- Subject: Re: Cygwin website uses http: (not https:) for .exe downloads, allowing man-in-the-middle attack
- Authentication-results: sourceware.org; auth=none
- Reply-to: dwheeler at dwheeler dot com
On Thu, 26 Feb 2015 23:37:37 +0100, Corinna Vinschen <email@example.com> wrote:
> On Feb 26 17:31, David A. Wheeler wrote:
> > The Cygwin front web page ( https://www.cygwin.com/ ) says:
> > "Install it by running setup-x86.exe (32-bit installation) or
> > setup-x86_64.exe (64-bit installation)."
> Did you notice that you're automatically redirected to https?
Yes, but the redirect looks like it's vulnerable to a man-in-the-middle attack.
The front page http: hyperlink *disables* https on the request, because it explicitly asks for http: instead.
If the browser sees an "http" link, it typically uses http to send the request (unless HSTS is used).
In that case, a man-in-the-middle attacker can just intercept the http request and reply with
a malicious executable. When that happens cygwin.org never gets a chance to redirect anything.
It's possible it's okay (I haven't done a packet capture on it), but it looks really suspicious.
Links to executables should explicitly say "https://". It's a trivial change to the webpage, too.
> > You might also want to enable "HTTP Strict Transport Security" (HSTS)
> > on the Cygwin website.
> That's not for us to say. We're user of the site, not admins.
You can always ask the admins. Anyway, my key point is to make it possible
to *start* and *stay* on https: when downloading the .exe file (to prevent tampering).
--- David A. Wheeler
Problem reports: http://cygwin.com/problems.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple