SSL should not be required for open source downloading

L A Walsh
Mon Mar 11 20:24:00 GMT 2019

On 3/11/2019 6:43 AM, Archie Cobbs wrote:
> On Sun, Mar 10, 2019 at 10:51 PM Brian Inglis
> <> wrote:
>>>>> Is there any reason not to force this redirect and close this security hole?
>> There are apparently reasons not to force this redirect as it can also cause a
>> security hole.
> That's really interesting. Can you provide more detail?
I know that was directed at Brian, but...
Because if the assumption is that the site uses https or will redirect it,
then to start the session the client would send startTLS parameters.

If it so happens that part of the site, does not use https, then
an attacker could grab those initial parameters.  Somehow providing
"opensource" binaries doesn't seem like the type of thing that needs
or should even have encryption.
>>>> The whole site include uses HSTS which compliant supporting clients can use to switch to communicating over HTTPS. Clients which are not compliant or don't support HTTPS may still download the programs and files.
>>> I don't see how HSTS solves the particular issue that I'm referring to.
>> HSTS redirects requests from port 80 to 443 (HTTPS).
> Not for me. Well, actually I'm getting inconsistent results...
> On Mac OS X, neither Firefox, Chrome nor Safari will redirect to SSL.
FWIW, apple customizes their library behaviors and doesn't always follow the
> On an old Windows 7 system, neither IE 8 (no surprise there) or Chrome
> redirects.
    HSTS is only set from HTTPS.  If you only access the site in cleartext,
that is what you will get.  If you don't understand HSTS, perhaps reading
and understanding the document would be good before promoting it -- just

Problem reports:
Unsubscribe info:

More information about the Cygwin mailing list