This is the mail archive of the
mailing list for the Cygwin project.
Re: Cygwin website uses http: (not https:) for .exe downloads, allowing man-in-the-middle attack
- From: Warren Young <wyml at etr-usa dot com>
- To: The Cygwin Mailing List <cygwin at cygwin dot com>
- Date: Thu, 26 Feb 2015 17:39:55 -0700
- Subject: Re: Cygwin website uses http: (not https:) for .exe downloads, allowing man-in-the-middle attack
- Authentication-results: sourceware.org; auth=none
- References: <E1YR6y2-0008G9-Gr at rmm6prod02 dot runbox dot com> <CAPbcu1PA=VSL+EFj2uN0eTknNCVWVb8y62BcgotyAhbFqa1G7A at mail dot gmail dot com>
On Feb 26, 2015, at 3:39 PM, Darik Horn <firstname.lastname@example.org> wrote:
> Note that GPG signatures are published for the Cygwin setup binaries:
If someone can MITM the *.exe files, they can MITM the GPG sigs, too.
You could try and be diligent and check that the signature was made with a GPG key you trust, but Iâll bet most people who have checked this just test whether the signature is valid.
At its worst, GPGâs web of trust behaves like todayâs overly-trusting web browsers, which may have hundreds of CAs youâve never heard of. Just because your browser vendor trusts the CA doesnât mean you should, too. Getting a GPG public key via an untrusted path is exactly like that.
GPG sigs are better for authenticity detection than MD5/SHA hashes, but only by as much as the trustworthiness of the path you got the GPG public key via.
Problem reports: http://cygwin.com/problems.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple