This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: SSL not required for setup.exe download

On 2019-03-10 10:40, Archie Cobbs wrote:
> On Sun, Mar 10, 2019 at 9:16 AM Brian Inglis wrote:
>>> Is there any reason not to force this redirect and close this security hole?

There are apparently reasons not to force this redirect as it can also cause a
security hole.

>> The whole site include uses HSTS which compliant
>> supporting clients can use to switch to communicating over HTTPS.
>> Clients which are not compliant or don't support HTTPS may still download the
>> programs and files.
> I don't see how HSTS solves the particular issue that I'm referring to.

HSTS redirects requests from port 80 to 443 (HTTPS).

> HSTS only applies to connections that are *already* using HTTPS.
> Quoting Wikipedia:
>     HSTS mechanism overview
>     A server implements an HSTS policy by supplying a header over an
> HTTPS connection (HSTS headers over HTTP are ignored).

The HSTS Mechanism is a small part of the HSTS implementation:

and the wiki article may not be a good description.

> In any case, the problem I'm talking about is trivial to verify. Just
> start up Chrome or Firefox and enter You can
> then confirm that (a) the page you are looking at has an http:// URL,
> and (b) the link to setup.exe also has an http:// URL. Therefore,
> there is no real security in this scenario.

I only get to see YMMV

Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.

Problem reports:
Unsubscribe info:

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]