SSL not required for setup.exe download

Archie Cobbs
Sun Mar 10 04:54:00 GMT 2019

The FAQ states:

    The Cygwin website provides the setup program (setup-x86.exe or
setup-x86_64.exe) using HTTPS (SSL/TLS).

While this is true, it's not mandatory.

If one happens to go to HTTP:// instead of
HTTPS://, then neither the page you are viewing (which
contains the setup.exe download link), nor the setup.exe download link
itself are secured via SSL.

So someone who just types "" into the browser location bar
and clicks on the setup.exe link is vulnerable to a MTM attack.

It would be safer if always redirected you to, where the page and the link are SSL.

Is there any reason not to force this redirect and close this security hole?


Archie L. Cobbs

Problem reports:
Unsubscribe info:

More information about the Cygwin mailing list