SSL not required for setup.exe download

Tue Mar 12 19:45:00 GMT 2019

On 3/11/19, Andrey Repin  wrote:
> Greetings, Archie Cobbs!
>> I must say I'm surprised so many people think it's a good idea to
>> leave cygwin open to trivial MITM attacks, which is the current state
>> of affairs.
>> This is my opinion only of course, but if cygwin wants to have any
>> security credibility, it should simply disallow non-SSL downloads of
>> setup.exe. Otherwise the chain of authenticity is broken forever.
> All the SSL stuff is build on idea of implicit unlimited trust.

I agree, the whole certificate authority bit seems to .. over-promise.
On the other hand, it does also seems to "raise the bar" making it
much more difficult to snoop or alter data in transit.

> Which is way worse in my opinion, than any theoretical MITM attack, which
> is easily mitigated with proper validation of your downloads.

Serious question - exactly how does one do "proper validation of your

For example, I don't have the current version of 7-zip
has a download link, but I don't see anything for a .sig, checksum or anything.
isn't any better.
It seems to me that the best I can do is make sure I do the download
via an https:// link

> It gives you false sense of security. What is worse, everybody is
> attempting
> to reassure this false sense on every possible occasion.

I don't think it's a false sense of security.  https:// isn't "safe"
but it is _safer_ than http://


Problem reports:
Unsubscribe info:

More information about the Cygwin mailing list