SSL not required for setup.exe download

Andrey Repin
Sun Mar 10 13:35:00 GMT 2019

Greetings, Archie Cobbs!

> The FAQ states:

>     The Cygwin website provides the setup program (setup-x86.exe or
> setup-x86_64.exe) using HTTPS (SSL/TLS).

> While this is true, it's not mandatory.

> If one happens to go to HTTP:// instead of
> HTTPS://, then neither the page you are viewing (which
> contains the setup.exe download link), nor the setup.exe download link
> itself are secured via SSL.

> So someone who just types "" into the browser location bar
> and clicks on the setup.exe link is vulnerable to a MTM attack.

> It would be safer if always redirected you to
>, where the page and the link are SSL.

> Is there any reason not to force this redirect and close this security hole?

If you care that much, you would use https.
If not, then I see no reason to bend to hysteric crowd.

With best regards,
Andrey Repin
Sunday, March 10, 2019 16:29:01

Sorry for my terrible english...

Problem reports:
Unsubscribe info:

More information about the Cygwin mailing list