Cygwin website uses http: (not https:) for .exe downloads, allowing man-in-the-middle attack
Corinna Vinschen
corinna-cygwin@cygwin.com
Fri Feb 27 00:01:00 GMT 2015
On Feb 26 17:31, David A. Wheeler wrote:
> The Cygwin front web page ( https://www.cygwin.com/ ) says:
> "Install it by running setup-x86.exe (32-bit installation) or
> setup-x86_64.exe (64-bit installation)."
>
> However, both of the links to those .exe executables explicitly use
> "http://", and not "https://", even when you go to the https version
> of the Cygwin website. This use of http: enables a man-in-the-middle
> attack on anyone trying to download the Cygwin installer. In
> particular, a man-in-the-middle could maliciously modify the .exe, and
> there are many programs that can automatically insert malicious code
> into a Windows .exe file.
Did you notice that you're automatically redirected to https?
> Please fix those links to use "https:", and not "http:".
>
> You might also want to enable "HTTP Strict Transport Security" (HSTS)
> on the Cygwin website.
That's not for us to say. We're user of the site, not admins.
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Maintainer cygwin AT cygwin DOT com
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://cygwin.com/pipermail/cygwin/attachments/20150227/54ccfe66/attachment.sig>
More information about the Cygwin
mailing list