Cygwin website uses http: (not https:) for .exe downloads, allowing man-in-the-middle attack

David A. Wheeler
Fri Feb 27 01:50:00 GMT 2015

On Thu, 26 Feb 2015 23:37:37 +0100, Corinna Vinschen <> wrote:
> On Feb 26 17:31, David A. Wheeler wrote:
> > The Cygwin front web page ( ) says:
> > "Install it by running setup-x86.exe (32-bit installation) or
> > setup-x86_64.exe (64-bit installation)."
> > 
> Did you notice that you're automatically redirected to https?

Yes, but the redirect looks like it's vulnerable to a man-in-the-middle attack.
The front page http: hyperlink *disables* https on the request, because it explicitly asks for http: instead.
If the browser sees an "http" link, it typically uses http to send the request (unless HSTS is used).
In that case, a man-in-the-middle attacker can just intercept the http request and reply with
a malicious executable.  When that happens never gets a chance to redirect anything.
It's possible it's okay (I haven't done a packet capture on it), but it looks really suspicious.

Links to executables should explicitly say "https://".  It's a trivial change to the webpage, too.

> > You might also want to enable "HTTP Strict Transport Security" (HSTS)
> > on the Cygwin website.

Corinna Vinschen:
> That's not for us to say.  We're user of the site, not admins.

You can always ask the admins.  Anyway, my key point is to make it possible
to *start* and *stay* on https: when downloading the .exe file (to prevent tampering).

--- David A. Wheeler

Problem reports:
Unsubscribe info:

More information about the Cygwin mailing list