This is the mail archive of the
mailing list for the Cygwin project.
SSL not required for setup.exe download
- From: Archie Cobbs <archie dot cobbs at gmail dot com>
- To: cygwin at cygwin dot com
- Date: Sat, 9 Mar 2019 22:54:29 -0600
- Subject: SSL not required for setup.exe download
The FAQ states:
The Cygwin website provides the setup program (setup-x86.exe or
setup-x86_64.exe) using HTTPS (SSL/TLS).
While this is true, it's not mandatory.
If one happens to go to HTTP://www.cygwin.com instead of
HTTPS://www.cygwin.com, then neither the page you are viewing (which
contains the setup.exe download link), nor the setup.exe download link
itself are secured via SSL.
So someone who just types "cygwin.com" into the browser location bar
and clicks on the setup.exe link is vulnerable to a MTM attack.
It would be safer if http://www.cygwin.com always redirected you to
https://www.cygwin.com, where the page and the link are SSL.
Is there any reason not to force this redirect and close this security hole?
Archie L. Cobbs
Problem reports: http://cygwin.com/problems.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple