Cygwin website uses http: (not https:) for .exe downloads, allowing man-in-the-middle attack

David A. Wheeler
Thu Feb 26 23:18:00 GMT 2015

The Cygwin front web page ( ) says:
"Install it by running setup-x86.exe (32-bit installation) or setup-x86_64.exe (64-bit installation)."

However, both of the links to those .exe executables explicitly use "http://", and not "https://", even when you go to the https version of the Cygwin website.  This use of http: enables a man-in-the-middle attack on anyone trying to download the Cygwin installer.  In particular, a man-in-the-middle could maliciously modify the .exe, and there are many programs that can automatically insert malicious code into a Windows .exe file.

Please fix those links to use "https:", and not "http:".

You might also want to enable "HTTP Strict Transport Security" (HSTS) on the Cygwin website.

--- David A. Wheeler

Problem reports:
Unsubscribe info:

More information about the Cygwin mailing list