On 2019-03-12 07:47, Archie Cobbs wrote: > On Mon, Mar 11, 2019 at 6:00 PM Lee wrote: >>> I must say I'm surprised so many people think it's a good idea to >>> leave cygwin open to trivial MITM attacks, which is the current state >>> of affairs. >> But it's only open to a trivial MITM attack if the user types in >> "http://cygwin.com"; - correct? Why isn't the fix "don't do that"? > Because security that rests on assuming humans will always do the > correct thing has proven to be unreliable (understatement). >>> This is my opinion only of course, but if cygwin wants to have any >>> security credibility, it should simply disallow non-SSL downloads of >>> setup.exe. Otherwise the chain of authenticity is broken forever. >> They sign setup.exe, so "the chain of authenticity" is there regardless. >> https://cygwin.com/setup-x86_64.exe >> https://cygwin.com/setup-x86_64.exe.sig > I don't see your point. > Downloading the sig file over HTTP is useless... any attacker going to > the trouble to launch a MITM attack for setup.exe will certainly also > do it for the sig file as well. > OTOH, if you download the file over HTTPS.. then your client supports > SSL. Which is exactly what I'm saying should be mandatory.
Forcing TLS means blocking anyone who for any reason can not use TLS: this is a performance and support burden compared to allowing both HTTP:80 and HTTPS:443. Same reasons most ISPs/ASes/orgs don't filter or validate packet source IP addresses per BCP 38 which would stop most abuses! -- Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada This email may be disturbing to some readers as it contains too much technical detail. Reader discretion is advised. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
