| www.delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| DomainKey-Signature: | a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:from:to:subject:references:date:in-reply-to | |
| :message-id:mime-version:content-type; q=dns; s=default; b=iAD5g | |
| 0173YXTVyqQTOZtY+6hG8fOXnVBACSGGI2SdW+75+40RXBjqtBv+XU6Gd8s/8JyF | |
| KG6fBp6CK/+lLfBHpA85KAIFXFtM8P5tId9SWYAO3D2GDEqRekBr9W7mpgb+lzey | |
| GgKcC5+vAHQRdyx5//zDXr6UnjY8LqaKKeBbYo= | |
| DKIM-Signature: | v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:from:to:subject:references:date:in-reply-to | |
| :message-id:mime-version:content-type; s=default; bh=OfRPeQZl09C | |
| oxhHmNsa5CAxO/wA=; b=ROU2Xi3OE9RMXsb3DnwV9fCa7tKC15ePo0iA9veNFPT | |
| N3siiVqn4NFlgsX5TUTLzF6lTf6qA7wrQPUmTkcjY9OTJoVDhVWEbAKMEcZrRgng | |
| u1P4PvTo/9ahatRw1FoKxYD4PXzqY6uUkBfu0MloRUJForAvPOSSOlX6w/lfEXAg | |
| = | |
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm |
| List-Id: | <cygwin.cygwin.com> |
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com> |
| List-Archive: | <http://sourceware.org/ml/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs> |
| Sender: | cygwin-owner AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| Delivered-To: | mailing list cygwin AT cygwin DOT com |
| Authentication-Results: | sourceware.org; auth=none |
| X-Virus-Found: | No |
| X-Spam-SWARE-Status: | No, score=-1.7 required=5.0 tests=AWL,BAYES_00,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.2 |
| X-HELO: | mail-in-06.arcor-online.net |
| X-DKIM: | Sendmail DKIM Filter v2.8.2 mail-in-09.arcor-online.net 3l0Y6R2VNyzDYYF |
| From: | Achim Gratz <Stromeko AT nexgo DOT de> |
| To: | cygwin AT cygwin DOT com |
| Subject: | Re: How Cygwin counters man-in-the-middle (MITM) attacks |
| References: | <E1YUgpo-0002Wt-L5 AT rmm6prod02 DOT runbox DOT com> |
| Date: | Sun, 08 Mar 2015 20:44:30 +0100 |
| In-Reply-To: | <E1YUgpo-0002Wt-L5@rmm6prod02.runbox.com> (David A. Wheeler's message of "Sun, 08 Mar 2015 15:25:56 -0400 (EDT)") |
| Message-ID: | <874mpvqnoh.fsf@Rainer.invalid> |
| User-Agent: | Gnus/5.13 (Gnus v5.13) Emacs/25.0.50 (gnu/linux) |
| MIME-Version: | 1.0 |
David A. Wheeler writes: > I checked Cygwin.com's SSL/TLS implementation using Qualsys > ( https://www.ssllabs.com/ssltest/ ). Cygwin.com got an overall rating > of "B" (capped because it permits the RC4 cipher). That's not what I see at the moment, so you might want to check again: Starting Nmap 6.47 ( http://nmap.org ) at 2015-03-08 20:38 CET Nmap scan report for cygwin.com (209.132.180.131) Host is up (0.21s latency). rDNS record for 209.132.180.131: server1.sourceware.org PORT STATE SERVICE 443/tcp open https | ssl-cert: Subject: commonName=cygwin.com/organizationName=Red Hat Inc./stateOrProvinceName=North Carolina/countryName=US | Issuer: commonName=DigiCert SHA2 High Assurance Server CA/organizationName=DigiCert Inc/countryName=US | Public Key type: rsa | Public Key bits: 4096 | Not valid before: 2014-05-15T23:00:00+00:00 | Not valid after: 2016-05-20T11:00:00+00:00 | MD5: d888 b3ed 9f0f f8d1 5b57 fdd7 5122 bb53 |_SHA-1: 349e 7f24 e249 2256 af2d 15a9 2883 ce84 4a40 a88f | ssl-enum-ciphers: | SSLv3: No supported ciphers found | TLSv1.0: | ciphers: | TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong | TLS_DHE_RSA_WITH_SEED_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong | TLS_RSA_WITH_IDEA_CBC_SHA - weak | TLS_RSA_WITH_RC4_128_SHA - strong | TLS_RSA_WITH_SEED_CBC_SHA - strong | compressors: | | TLSv1.1: | ciphers: | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong | TLS_DHE_RSA_WITH_SEED_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong | TLS_RSA_WITH_RC4_128_SHA - strong | TLS_RSA_WITH_SEED_CBC_SHA - strong | compressors: | NULL | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_AES_128_GCM_SHA256 - strong | compressors: | NULL |_ least strength: weak > 5. The possibly-updated packages to be installed are downloaded and their > cryptographic hashes (from the signed setup.ini file) are checked. > > Currently (as of 2015-03-08) Cygwin uses MD5 cryptographic hashes. > As long as MD5 is accepted then Cygwin is vulnerable to > MITM, because MD5 is a totally broken algorithm. E.g., in 2012 > the Flame malware exploited MD5 to fake a Microsoft digital signature. Setup.ini also records the file size, so a successful attack would need to pack a malicous payload into a valid archive of the same size and the same MD5 checksum. I think that is a much taller order than simply creating a hash collision. Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ Waldorf MIDI Implementation & additional documentation: http://Synth.Stromeko.net/Downloads.html#WaldorfDocs -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |