On Fri, Mar 15, 2019 at 8:25 AM Brian Inglis wrote:
> ... corporate policies, proxies, firewalls, security products.
> Systems or images older than a year may need the new root CA installed - some
> enterprises are very selective about including support for anything in their
> images - and users ma
On 2019-03-12 08:58, Archie Cobbs wrote:
> On Tue, Mar 12, 2019 at 9:32 AM Brian Inglis wrote:
>>> OTOH, if you download the file over HTTPS.. then your client supports
>>> SSL. Which is exactly what I'm saying should be mandatory.
>> Forcing TLS means blocking anyone who for any reason can not us
Greetings, Lee!
> On 3/12/19, Andrey Repin wrote:
>> Greetings, Lee!
>>
It gives you false sense of security. What is worse, everybody is
attempting
to reassure this false sense on every possible occasion.
>>
>>> I don't think it's a false sense of security. https:// isn't "safe"
>
On 3/12/19, Andrey Repin wrote:
> Greetings, Lee!
>
> Which is way worse in my opinion, than any theoretical MITM attack,
> which
> is easily mitigated with proper validation of your downloads.
>>>
Serious question - exactly how does one do "proper validation of your
downloads
On 3/12/19, Andrey Repin wrote:
> Greetings, Lee!
>
>>> It gives you false sense of security. What is worse, everybody is
>>> attempting
>>> to reassure this false sense on every possible occasion.
>
>> I don't think it's a false sense of security. https:// isn't "safe"
>> but it is _safer_ than h
Greetings, Lee!
>> Greetings, Lee!
>>
Which is way worse in my opinion, than any theoretical MITM attack,
which
is easily mitigated with proper validation of your downloads.
>>
>>> Serious question - exactly how does one do "proper validation of your
>>> downloads"?
>>
>> Use PGP si
Greetings, Lee!
>> It gives you false sense of security. What is worse, everybody is
>> attempting
>> to reassure this false sense on every possible occasion.
> I don't think it's a false sense of security. https:// isn't "safe"
> but it is _safer_ than http://
Yep. Now, let's recall mcafee, no
On 3/12/19, Achim Gratz wrote:
> Lee writes:
>> I don't think it's a false sense of security. https:// isn't "safe"
>> but it is _safer_ than http://
>
> Unless you are in an environment where an extra root cert is injected
> just to be able to break up the encrypted connection. Which is a lot
>
On 3/12/19, Andrey Repin wrote:
> Greetings, Lee!
>
>>> Which is way worse in my opinion, than any theoretical MITM attack,
>>> which
>>> is easily mitigated with proper validation of your downloads.
>
>> Serious question - exactly how does one do "proper validation of your
>> downloads"?
>
> Use
Lee writes:
> I don't think it's a false sense of security. https:// isn't "safe"
> but it is _safer_ than http://
Unless you are in an environment where an extra root cert is injected
just to be able to break up the encrypted connection. Which is a lot
more common than people think and is not q
Greetings, Lee!
>> Which is way worse in my opinion, than any theoretical MITM attack, which
>> is easily mitigated with proper validation of your downloads.
> Serious question - exactly how does one do "proper validation of your
> downloads"?
Use PGP signature to validate the installer. Use sep
On 3/12/19, Archie Cobbs wrote:
> On Mon, Mar 11, 2019 at 6:00 PM Lee wrote:
>> > I must say I'm surprised so many people think it's a good idea to
>> > leave cygwin open to trivial MITM attacks, which is the current state
>> > of affairs.
>>
>> But it's only open to a trivial MITM attack if the u
On 3/11/19, Andrey Repin wrote:
> Greetings, Archie Cobbs!
>
>> I must say I'm surprised so many people think it's a good idea to
>> leave cygwin open to trivial MITM attacks, which is the current state
>> of affairs.
>
>> This is my opinion only of course, but if cygwin wants to have any
>> secur
Archie Cobbs writes:
> Downloading the sig file over HTTP is useless... any attacker going to
> the trouble to launch a MITM attack for setup.exe will certainly also
> do it for the sig file as well.
No, the signature would be rejected if you cared to actually check the
key and signature (truly ch
On Tue, Mar 12, 2019 at 9:32 AM Brian Inglis wrote:
> > OTOH, if you download the file over HTTPS.. then your client supports
> > SSL. Which is exactly what I'm saying should be mandatory.
>
> Forcing TLS means blocking anyone who for any reason can not use TLS: this is
> a
> performance and supp
On 2019-03-12 07:47, Archie Cobbs wrote:
> On Mon, Mar 11, 2019 at 6:00 PM Lee wrote:
>>> I must say I'm surprised so many people think it's a good idea to
>>> leave cygwin open to trivial MITM attacks, which is the current state
>>> of affairs.
>> But it's only open to a trivial MITM attack if the
On Mon, Mar 11, 2019 at 6:00 PM Lee wrote:
> > I must say I'm surprised so many people think it's a good idea to
> > leave cygwin open to trivial MITM attacks, which is the current state
> > of affairs.
>
> But it's only open to a trivial MITM attack if the user types in
> "http://cygwin.com"; - co
Greetings, Archie Cobbs!
> On Mon, Mar 11, 2019 at 2:43 PM Brian Inglis
>> On 2019-03-11 07:43, Archie Cobbs wrote:
>> > On Sun, Mar 10, 2019 at 10:51 PM Brian Inglis wrote:
>> > Is there any reason not to force this redirect and close this security
>> > hole?
>> >> There are apparently
On 3/11/19, Archie Cobbs wrote:
> On Mon, Mar 11, 2019 at 2:43 PM Brian Inglis wrote:
>> On 2019-03-11 07:43, Archie Cobbs wrote:
>> > On Sun, Mar 10, 2019 at 10:51 PM Brian Inglis wrote:
>> > Is there any reason not to force this redirect and close this
>> > security hole?
>> >> There are
On Mon, Mar 11, 2019 at 2:43 PM Brian Inglis
wrote:
> On 2019-03-11 07:43, Archie Cobbs wrote:
> > On Sun, Mar 10, 2019 at 10:51 PM Brian Inglis wrote:
> > Is there any reason not to force this redirect and close this security
> > hole?
> >> There are apparently reasons not to force this
On 2019-03-11 07:43, Archie Cobbs wrote:
> On Sun, Mar 10, 2019 at 10:51 PM Brian Inglis wrote:
> Is there any reason not to force this redirect and close this security
> hole?
>> There are apparently reasons not to force this redirect as it can also cause
>> a
>> security hole.
> That's
On Sun, Mar 10, 2019 at 10:51 PM Brian Inglis
wrote:
> >>> Is there any reason not to force this redirect and close this security
> >>> hole?
>
> There are apparently reasons not to force this redirect as it can also cause a
> security hole.
That's really interesting. Can you provide more detail
On 3/11/2019 6:22 AM, L A Walsh wrote:
> On 3/10/2019 8:53 PM, Archie Cobbs wrote:
>
>> I guess so. Can you name any such client?
>>
---
Depends on the site, but for several months my browser would get
an error if I tried to goto my distro's website. They implemented
hsts, but were usi
On 3/10/2019 8:53 PM, Archie Cobbs wrote:
> On Sun, Mar 10, 2019 at 6:20 PM L A Walsh wrote:
>
It would be safer if http://www.cygwin.com always redirected you to
https://www.cygwin.com, where the page and the link are SSL.
Is there any reason not to force this redirect and close
On 2019-03-10 21:53, Archie Cobbs wrote:
> On Sun, Mar 10, 2019 at 6:20 PM L A Walsh wrote:
It would be safer if http://www.cygwin.com always redirected you to
https://www.cygwin.com, where the page and the link are SSL.
Is there any reason not to force this redirect and close this
On 2019-03-10 23:16, Mark Geisert wrote:
> On 2019-03-10, Brian Inglis wrote:
>> On 2019-03-10 10:40, Archie Cobbs wrote:
>>> In any case, the problem I'm talking about is trivial to verify. Just
>>> start up Chrome or Firefox and enter http://www.cygwin.com. You can
>>> then confirm that (a) the p
Brian Inglis wrote:
On 2019-03-10 10:40, Archie Cobbs wrote:
[...]
In any case, the problem I'm talking about is trivial to verify. Just
start up Chrome or Firefox and enter http://www.cygwin.com. You can
then confirm that (a) the page you are looking at has an http:// URL,
and (b) the link to
On Sun, Mar 10, 2019 at 6:20 PM L A Walsh wrote:
> >> It would be safer if http://www.cygwin.com always redirected you to
> >> https://www.cygwin.com, where the page and the link are SSL.
> >> Is there any reason not to force this redirect and close this security
> >> hole?
>
> I think the po
On 2019-03-10 10:40, Archie Cobbs wrote:
> On Sun, Mar 10, 2019 at 9:16 AM Brian Inglis wrote:
>>> Is there any reason not to force this redirect and close this security hole?
There are apparently reasons not to force this redirect as it can also cause a
security hole.
>> The whole sourceware.org
On 3/10/2019 7:16 AM, Brian Inglis wrote:
> On 2019-03-09 21:54, Archie Cobbs wrote:
>> It would be safer if http://www.cygwin.com always redirected you to
>> https://www.cygwin.com, where the page and the link are SSL.
>> Is there any reason not to force this redirect and close this security hole?
Hi Brian,
On Sun, Mar 10, 2019 at 9:16 AM Brian Inglis wrote:
> > Is there any reason not to force this redirect and close this security hole?
>
> The whole sourceware.org site include cygwin.com uses HSTS which compliant
> supporting clients can use to switch to communicating over HTTPS.
> Clien
Hi Andrey,
On Sun, Mar 10, 2019 at 8:35 AM Andrey Repin wrote:
> > Is there any reason not to force this redirect and close this security hole?
>
> If you care that much, you would use https.
> If not, then I see no reason to bend to hysteric crowd.
You are correct: careful, diligent, knowledgea
On 2019-03-09 21:54, Archie Cobbs wrote:
> The FAQ states:
> The Cygwin website provides the setup program (setup-x86.exe or
> setup-x86_64.exe) using HTTPS (SSL/TLS).
> While this is true, it's not mandatory.
> If one happens to go to HTTP://www.cygwin.com instead of
> HTTPS://www.cygwin.com,
On 2019-03-09 21:54, Archie Cobbs wrote:
> The FAQ states:
> The Cygwin website provides the setup program (setup-x86.exe or
> setup-x86_64.exe) using HTTPS (SSL/TLS).
> While this is true, it's not mandatory.
> If one happens to go to HTTP://www.cygwin.com instead of
> HTTPS://www.cygwin.com,
Greetings, Archie Cobbs!
> The FAQ states:
> The Cygwin website provides the setup program (setup-x86.exe or
> setup-x86_64.exe) using HTTPS (SSL/TLS).
> While this is true, it's not mandatory.
> If one happens to go to HTTP://www.cygwin.com instead of
> HTTPS://www.cygwin.com, then neither
The FAQ states:
The Cygwin website provides the setup program (setup-x86.exe or
setup-x86_64.exe) using HTTPS (SSL/TLS).
While this is true, it's not mandatory.
If one happens to go to HTTP://www.cygwin.com instead of
HTTPS://www.cygwin.com, then neither the page you are viewing (which
conta
36 matches
Mail list logo
