SSL not required for setup.exe download

Brian Inglis
Sun Mar 10 14:16:00 GMT 2019

On 2019-03-09 21:54, Archie Cobbs wrote:
> The FAQ states:
>     The Cygwin website provides the setup program (setup-x86.exe or
> setup-x86_64.exe) using HTTPS (SSL/TLS).
> While this is true, it's not mandatory.
> If one happens to go to HTTP:// instead of
> HTTPS://, then neither the page you are viewing (which
> contains the setup.exe download link), nor the setup.exe download link
> itself are secured via SSL.
> So someone who just types "" into the browser location bar
> and clicks on the setup.exe link is vulnerable to a MTM attack.
> It would be safer if always redirected you to
>, where the page and the link are SSL.
> Is there any reason not to force this redirect and close this security hole?

The whole site include uses HSTS which compliant
supporting clients can use to switch to communicating over HTTPS.
Clients which are not compliant or don't support HTTPS may still download the
programs and files.

Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.

Problem reports:
Unsubscribe info:

More information about the Cygwin mailing list