SSL not required for setup.exe download

Brian Inglis
Mon Mar 11 11:50:00 GMT 2019

On 2019-03-10 23:16, Mark Geisert wrote:
> On 2019-03-10, Brian Inglis wrote:
>> On 2019-03-10 10:40, Archie Cobbs wrote:
>>> In any case, the problem I'm talking about is trivial to verify. Just
>>> start up Chrome or Firefox and enter You can
>>> then confirm that (a) the page you are looking at has an http:// URL,
>>> and (b) the link to setup.exe also has an http:// URL. Therefore,
>>> there is no real security in this scenario.
>> I only get to see YMMV
> FWIW, I can reproduce the OP's STC using Chrome, Firefox, and Pale Moon.  Not
> sure why it happens for some folks but not others.  But since it does exist for
> some users, should it be dealt with?

It is possible that some of the clients on some of the systems accessing
sourceware projects may not be capable of supporting HTTPS, TLS, or HSTS, so a
permanent 301 redirection to HTTPS:443 may not be feasible.

If the sourcemaster at dealt with the issues below:

by changing the header from:

	Strict-Transport-Security: max-age=16070400


	Strict-Transport-Security: max-age=16070400; includeSubDomains; preload

it could be automatic soon in most major browsers using the Chromium/Mozilla
preload list:

but some of us are currently redirected while others are not.

I have probably been using HTTPS in browsers and scripts since it was supported
by and
It looks like once browsers or clients have seen the HTTPS:443 STS header, or if
a site is on a preload list, they redirect to HTTPS:443; if you use wget, check
for ~/.wget-hsts which should contain {,www.}{,} if you
used wget to access those sites.

Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.

Problem reports:
Unsubscribe info:

More information about the Cygwin mailing list