Cygwin website uses http: (not https:) for .exe downloads, allowing man-in-the-middle attack

Corinna Vinschen
Fri Feb 27 00:01:00 GMT 2015

On Feb 26 17:31, David A. Wheeler wrote:
> The Cygwin front web page ( ) says:
> "Install it by running setup-x86.exe (32-bit installation) or
> setup-x86_64.exe (64-bit installation)."
> However, both of the links to those .exe executables explicitly use
> "http://", and not "https://", even when you go to the https version
> of the Cygwin website.  This use of http: enables a man-in-the-middle
> attack on anyone trying to download the Cygwin installer.  In
> particular, a man-in-the-middle could maliciously modify the .exe, and
> there are many programs that can automatically insert malicious code
> into a Windows .exe file.

Did you notice that you're automatically redirected to https?

> Please fix those links to use "https:", and not "http:".
> You might also want to enable "HTTP Strict Transport Security" (HSTS)
> on the Cygwin website.

That's not for us to say.  We're user of the site, not admins.


Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <>

More information about the Cygwin mailing list