SSL not required for setup.exe download
Lee
ler762@gmail.com
Tue Mar 12 19:45:00 GMT 2019
On 3/11/19, Andrey Repin wrote:
> Greetings, Archie Cobbs!
>
>> I must say I'm surprised so many people think it's a good idea to
>> leave cygwin open to trivial MITM attacks, which is the current state
>> of affairs.
>
>> This is my opinion only of course, but if cygwin wants to have any
>> security credibility, it should simply disallow non-SSL downloads of
>> setup.exe. Otherwise the chain of authenticity is broken forever.
>
> All the SSL stuff is build on idea of implicit unlimited trust.
I agree, the whole certificate authority bit seems to .. over-promise.
On the other hand, it does also seems to "raise the bar" making it
much more difficult to snoop or alter data in transit.
> Which is way worse in my opinion, than any theoretical MITM attack, which
> is easily mitigated with proper validation of your downloads.
Serious question - exactly how does one do "proper validation of your
downloads"?
For example, I don't have the current version of 7-zip
https://www.7-zip.org/
has a download link, but I don't see anything for a .sig, checksum or anything.
https://sourceforge.net/projects/sevenzip/files/7-Zip/19.00/
isn't any better.
It seems to me that the best I can do is make sure I do the download
via an https:// link
> It gives you false sense of security. What is worse, everybody is
> attempting
> to reassure this false sense on every possible occasion.
I don't think it's a false sense of security. https:// isn't "safe"
but it is _safer_ than http://
Regards,
Lee
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
More information about the Cygwin
mailing list