Cygwin website uses http: (not https:) for .exe downloads, allowing man-in-the-middle attack

Yaakov Selkowitz
Fri Feb 27 09:17:00 GMT 2015

On Thu, 2015-02-26 at 17:31 -0500, David A. Wheeler wrote:
> The Cygwin front web page ( ) says:
> "Install it by running setup-x86.exe (32-bit installation) or
>  setup-x86_64.exe (64-bit installation)."
> However, both of the links to those .exe executables explicitly
> use "http://", and not "https://", even when you go to the https
> version of the Cygwin website.

The links are now relative, so this should no longer be an issue.

Thanks for reporting,


Problem reports:
Unsubscribe info:

More information about the Cygwin mailing list