This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Re: SSL not required for setup.exe download
On 2019-03-11 07:43, Archie Cobbs wrote:
> On Sun, Mar 10, 2019 at 10:51 PM Brian Inglis wrote:
>>>>> Is there any reason not to force this redirect and close this security hole?
>> There are apparently reasons not to force this redirect as it can also cause a
>> security hole.
> That's really interesting. Can you provide more detail?
Search for HTTP HTTPS redirection SSL stripping MitM attack
>>>> The whole sourceware.org site include cygwin.com uses HSTS which compliant
>>>> supporting clients can use to switch to communicating over HTTPS.
>>>> Clients which are not compliant or don't support HTTPS may still download the
>>>> programs and files.
>>> I don't see how HSTS solves the particular issue that I'm referring to.
>> HSTS redirects requests from port 80 to 443 (HTTPS).
> Not for me. Well, actually I'm getting inconsistent results...
> On Mac OS X, neither Firefox, Chrome nor Safari will redirect to SSL.
> On an old Windows 7 system, neither IE 8 (no surprise there) or Chrome
> redirects.
> However, with Chrome, it does not redirect at first, but once I've
> manually entered https://www.cygwin.com it seems to "realize" that a
> secure site exists, and after that it starts redirecting to SSL.
> I can revert that behavior by clearing the cache.
> So it seems in the case of Chrome, it has to be "taught" about the
> existence of the secure site... which of course takes us right back to
> the original problem.
Some sites, proxies, and CDNs respond with
HTTP/1.0 302 Found
and redirects to HTTPS:443 followed by the HTTP header.
--
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada
This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple