This is the mail archive of the
mailing list for the Cygwin project.
Re: SSL not required for setup.exe download
On 2019-03-11 07:43, Archie Cobbs wrote:
> On Sun, Mar 10, 2019 at 10:51 PM Brian Inglis wrote:
>>>>> Is there any reason not to force this redirect and close this security hole?
>> There are apparently reasons not to force this redirect as it can also cause a
>> security hole.
> That's really interesting. Can you provide more detail?
Search for HTTP HTTPS redirection SSL stripping MitM attack
>>>> The whole sourceware.org site include cygwin.com uses HSTS which compliant
>>>> supporting clients can use to switch to communicating over HTTPS.
>>>> Clients which are not compliant or don't support HTTPS may still download the
>>>> programs and files.
>>> I don't see how HSTS solves the particular issue that I'm referring to.
>> HSTS redirects requests from port 80 to 443 (HTTPS).
> Not for me. Well, actually I'm getting inconsistent results...
> On Mac OS X, neither Firefox, Chrome nor Safari will redirect to SSL.
> On an old Windows 7 system, neither IE 8 (no surprise there) or Chrome
> However, with Chrome, it does not redirect at first, but once I've
> manually entered https://www.cygwin.com it seems to "realize" that a
> secure site exists, and after that it starts redirecting to SSL.
> I can revert that behavior by clearing the cache.
> So it seems in the case of Chrome, it has to be "taught" about the
> existence of the secure site... which of course takes us right back to
> the original problem.
Some sites, proxies, and CDNs respond with
HTTP/1.0 302 Found
and redirects to HTTPS:443 followed by the HTTP header.
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada
This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.
Problem reports: http://cygwin.com/problems.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple