| www.delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| DomainKey-Signature: | a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:reply-to:subject:to:references:cc:from | |
| :message-id:date:mime-version:in-reply-to:content-type | |
| :content-transfer-encoding; q=dns; s=default; b=pwL/FgFR8T0by8Ma | |
| kMIzLzEUD+cPz3C3Q0wIMwt1Fb85XM8ozu5UvZXTBWb66Vl0vQ872FFItfkSyuTu | |
| B/YmCnfe6ymBmKGq75ntw5THCqal7BzemH3mMmOCoCewqSurbQtIGuwUdeuhlCLA | |
| hnbIWrTp6TYmamBZmbwQNBkHBMQ= | |
| DKIM-Signature: | v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:reply-to:subject:to:references:cc:from | |
| :message-id:date:mime-version:in-reply-to:content-type | |
| :content-transfer-encoding; s=default; bh=JStthDmnDECmzajMlHu1WK | |
| QHku4=; b=TuEtxdQZadOAlKqWl6VW8cyy1KSpPtdsbH8dkRmL9Hz9CS1BU1ZMoC | |
| Fo/0hI+BoHEOXPtu5WbKbOKCXnKpXyY+f6zhgwqHokAz9ImSj2ziUXJP95a2E1fl | |
| xy7Bk0S4ajVDLNjnia9kbo5hC97GOz3MxItd5Sl0XdQCDohwvaUBE= | |
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm |
| List-Id: | <cygwin.cygwin.com> |
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com> |
| List-Archive: | <http://sourceware.org/ml/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs> |
| Sender: | cygwin-owner AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| Delivered-To: | mailing list cygwin AT cygwin DOT com |
| Authentication-Results: | sourceware.org; auth=none |
| X-Spam-SWARE-Status: | No, score=-2.8 required=5.0 tests=AWL,BAYES_00,RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 spammy= |
| X-HELO: | smtp-out-so.shaw.ca |
| Reply-To: | Brian DOT Inglis AT SystematicSw DOT ab DOT ca |
| Subject: | Re: SSL not required for setup.exe download |
| To: | cygwin AT cygwin DOT com |
| References: | <CANSoFxtW0Jb1M5KfkFGGOxec_D8ysyYCrnk_PXWjHobLDXZauQ AT mail DOT gmail DOT com> <1a840c2e-55ac-0ab4-66c4-a1f6a2c4f81a AT Shaw DOT ca> <CANSoFxtA0vnF1adx4rwyjuMasrVAOGb8hT_Uct-wSdcazj252w AT mail DOT gmail DOT com> <41f12842-ea43-ff63-a660-26ee3b497c63 AT SystematicSw DOT ab DOT ca> <3132c0de-2689-a270-b996-d309017ca815 AT maxrnd DOT com> |
| Cc: | sourcemaster AT sourceware DOT org |
| From: | Brian Inglis <Brian DOT Inglis AT SystematicSw DOT ab DOT ca> |
| Openpgp: | preference=signencrypt |
| Message-ID: | <8d0f9c58-8304-7525-3b9e-0b8e92b1d697@SystematicSw.ab.ca> |
| Date: | Mon, 11 Mar 2019 05:50:28 -0600 |
| User-Agent: | Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.5.3 |
| MIME-Version: | 1.0 |
| In-Reply-To: | <3132c0de-2689-a270-b996-d309017ca815@maxrnd.com> |
| X-IsSubscribed: | yes |
On 2019-03-10 23:16, Mark Geisert wrote:
> On 2019-03-10, Brian Inglis wrote:
>> On 2019-03-10 10:40, Archie Cobbs wrote:
>>> In any case, the problem I'm talking about is trivial to verify. Just
>>> start up Chrome or Firefox and enter http://www.cygwin.com. You can
>>> then confirm that (a) the page you are looking at has an http:// URL,
>>> and (b) the link to setup.exe also has an http:// URL. Therefore,
>>> there is no real security in this scenario.
>>
>> I only get to see https://www.cygwin.com/ YMMV
>
> FWIW, I can reproduce the OP's STC using Chrome, Firefox, and Pale Moon. Not
> sure why it happens for some folks but not others. But since it does exist for
> some users, should it be dealt with?
It is possible that some of the clients on some of the systems accessing
sourceware projects may not be capable of supporting HTTPS, TLS, or HSTS, so a
permanent 301 redirection to HTTPS:443 may not be feasible.
If the sourcemaster at sourceware.org dealt with the issues below:
https://hstspreload.org/?domain=sourceware.org
by changing the header from:
Strict-Transport-Security: max-age=16070400
to:
Strict-Transport-Security: max-age=16070400; includeSubDomains; preload
it could be automatic soon in most major browsers using the Chromium/Mozilla
preload list:
https://github.com/chromium/hstspreload.org
but some of us are currently redirected while others are not.
I have probably been using HTTPS in browsers and scripts since it was supported
by sourceware.org and cygwin.com.
It looks like once browsers or clients have seen the HTTPS:443 STS header, or if
a site is on a preload list, they redirect to HTTPS:443; if you use wget, check
for ~/.wget-hsts which should contain {,www.}{cygwin.com,sourceware.org} if you
used wget to access those sites.
--
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada
This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |