SSL not required for setup.exe download

L A Walsh
Sun Mar 10 23:20:00 GMT 2019

On 3/10/2019 7:16 AM, Brian Inglis wrote:
> On 2019-03-09 21:54, Archie Cobbs wrote:
>> It would be safer if always redirected you to
>>, where the page and the link are SSL.
>> Is there any reason not to force this redirect and close this security hole?
    I think the point is that if you redirect and a client can't
speak https, what happens?  Wouldn't they get an error that would
prevent them from using the site?

    Google has a vested interest in getting people locked in on
https -- makes it much harder for people to use proxies and lower
their requests to google and for them to block some requests.  They get
to control what you get -- not you.

> The whole site include uses HSTS which compliant
> supporting clients can use to switch to communicating over HTTPS.
> Clients which are not compliant or don't support HTTPS may still download the
> programs and files.

Problem reports:
Unsubscribe info:

More information about the Cygwin mailing list