Mail Archives: cygwin/2019/03/12/09:48:01

www.delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2019/03/12/09:48:01

X-Recipient: archive-cygwin AT delorie DOT com

DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:mime-version:references:in-reply-to:from:date

:message-id:subject:to:content-type; q=dns; s=default; b=YchnFZq

ZXzFS1r3VJj/TJw4PRpPy7QH93Ton2/aiK7TOxO6Q3tqPmThiv2me1e9pmwaLjWr

Xhg7OhHUkdIjIHtC+IlCEy/G93J2M04fwOK36LSQxzR1N/u6ZsBUwSX3ta18hRy6

YVwIiMRgvUE9WhPITbO/I/H4DChDXaWR891I=

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:mime-version:references:in-reply-to:from:date

:message-id:subject:to:content-type; s=default; bh=L+ul5KUCW9znH

+dviVIrWb/Eaq4=; b=JeAYlwVFlz2BuE3a09M3MFYhMALd6P/VkzcElmk2XD1Ro

E0MZYWKj06Qh3/ms1D4Yj+LODQwlMHNjsCpkzpUwIURegxiXjcpgxaLvVDM+TIc3

O85aM5+qOCf1rSWUMvqrg01Fyup07zpjxMNGUBbn+6cse57xYKpjBl9w+fVIWY=

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm

List-Id: <cygwin.cygwin.com>

List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>

List-Archive: <http://sourceware.org/ml/cygwin/>

List-Post: <mailto:cygwin AT cygwin DOT com>

List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>

Sender: cygwin-owner AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

Delivered-To: mailing list cygwin AT cygwin DOT com

Authentication-Results: sourceware.org; auth=none

X-Spam-SWARE-Status: No, score=0.7 required=5.0 tests=AWL,BAYES_00,EXECUTABLE_URI,FREEMAIL_FROM,KAM_EXEURI,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=no version=3.3.1 spammy=attack

X-HELO: mail-vk1-f169.google.com

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=SVuxzVec8BwyMM8otDiKHat4bfQf0zo51D8pygO1F2k=; b=SaAwo/BwQ++pXzhQAZDp2d8RY9lAU+XzEJ6letZjeH752vu0IvYqtVqn+2ZCZ8+bWo PtKXX5bxLAgzLN+n/34kKYdhojpgf5GbkXI439RIRshjvoXlUSFJmfkRouewuFUaWz3B TAnt2922fRG6Qs8XWhE/kUVOeNgO3RG5yG9bdKzX/ElKPuozBa4pUrQx5P/n552n1A0k /H51aG3xaWu/aCDyU4lly3NhCHcwOrRBa3mVZyNnPA40+bNnHYx1yxzvYs0gEly2n2gl 2lHsZNcx2YTgVRc/X1Pi+I4oGv7DsPP0V+78XgVzofPiP+QJE/4HsqzLKzTRSE1pql08 uQ2A==

MIME-Version: 1.0

References: <CANSoFxtW0Jb1M5KfkFGGOxec_D8ysyYCrnk_PXWjHobLDXZauQ AT mail DOT gmail DOT com> <1a840c2e-55ac-0ab4-66c4-a1f6a2c4f81a AT Shaw DOT ca> <CANSoFxtA0vnF1adx4rwyjuMasrVAOGb8hT_Uct-wSdcazj252w AT mail DOT gmail DOT com> <41f12842-ea43-ff63-a660-26ee3b497c63 AT SystematicSw DOT ab DOT ca> <CANSoFxtLzGgcOhrsu4h0eXXnpezB6v17cGwOrqy6SjSvJ__gLA AT mail DOT gmail DOT com> <1b570593-0ec7-0890-26ef-7e7468534f47 AT SystematicSw DOT ab DOT ca> <CANSoFxsq+5OfRH7RF3QdpMSJU-4JAKSCZM-rUUysP5Y3myR0+Q AT mail DOT gmail DOT com> <CAD8GWsu+P_d8RCiibkZ068oRAf8yeu=W5CLFO+ZNXGxjUcBOpw AT mail DOT gmail DOT com>

In-Reply-To: <CAD8GWsu+P_d8RCiibkZ068oRAf8yeu=W5CLFO+ZNXGxjUcBOpw@mail.gmail.com>

From: Archie Cobbs <archie DOT cobbs AT gmail DOT com>

Date: Tue, 12 Mar 2019 08:47:36 -0500

Message-ID: <CANSoFxu7sNUqP3zSKHiFULBrvOkhPFRuc8MyAHojAGFNu-O_xQ@mail.gmail.com>

Subject: Re: SSL not required for setup.exe download

To: cygwin AT cygwin DOT com

X-IsSubscribed: yes

On Mon, Mar 11, 2019 at 6:00 PM Lee wrote:
> > I must say I'm surprised so many people think it's a good idea to
> > leave cygwin open to trivial MITM attacks, which is the current state
> > of affairs.
>
> But it's only open to a trivial MITM attack if the user types in
> "http://cygwin.com" - correct?  Why isn't the fix "don't do that"?

Because security that rests on assuming humans will always do the
correct thing has proven to be unreliable (understatement).

> > This is my opinion only of course, but if cygwin wants to have any
> > security credibility, it should simply disallow non-SSL downloads of
> > setup.exe. Otherwise the chain of authenticity is broken forever.
>
> They sign setup.exe, so "the chain of authenticity" is there regardless.
>   https://cygwin.com/setup-x86_64.exe
>   https://cygwin.com/setup-x86_64.exe.sig

I don't see your point.

Downloading the sig file over HTTP is useless... any attacker going to
the trouble to launch a MITM attack for setup.exe will certainly also
do it for the sig file as well.

OTOH, if you download the file over HTTPS..  then your client supports
SSL. Which is exactly what I'm saying should be mandatory.

-AC

-- 
Archie L. Cobbs

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

X-Recipient:	archive-cygwin AT delorie DOT com
DomainKey-Signature:	a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:references:in-reply-to:from:date
	:message-id:subject:to:content-type; q=dns; s=default; b=YchnFZq
	ZXzFS1r3VJj/TJw4PRpPy7QH93Ton2/aiK7TOxO6Q3tqPmThiv2me1e9pmwaLjWr
	Xhg7OhHUkdIjIHtC+IlCEy/G93J2M04fwOK36LSQxzR1N/u6ZsBUwSX3ta18hRy6
	YVwIiMRgvUE9WhPITbO/I/H4DChDXaWR891I=
DKIM-Signature:	v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:references:in-reply-to:from:date
	:message-id:subject:to:content-type; s=default; bh=L+ul5KUCW9znH
	+dviVIrWb/Eaq4=; b=JeAYlwVFlz2BuE3a09M3MFYhMALd6P/VkzcElmk2XD1Ro
	E0MZYWKj06Qh3/ms1D4Yj+LODQwlMHNjsCpkzpUwIURegxiXjcpgxaLvVDM+TIc3
	O85aM5+qOCf1rSWUMvqrg01Fyup07zpjxMNGUBbn+6cse57xYKpjBl9w+fVIWY=
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
Authentication-Results:	sourceware.org; auth=none
X-Spam-SWARE-Status:	No, score=0.7 required=5.0 tests=AWL,BAYES_00,EXECUTABLE_URI,FREEMAIL_FROM,KAM_EXEURI,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=no version=3.3.1 spammy=attack
X-HELO:	mail-vk1-f169.google.com
DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=SVuxzVec8BwyMM8otDiKHat4bfQf0zo51D8pygO1F2k=; b=SaAwo/BwQ++pXzhQAZDp2d8RY9lAU+XzEJ6letZjeH752vu0IvYqtVqn+2ZCZ8+bWo PtKXX5bxLAgzLN+n/34kKYdhojpgf5GbkXI439RIRshjvoXlUSFJmfkRouewuFUaWz3B TAnt2922fRG6Qs8XWhE/kUVOeNgO3RG5yG9bdKzX/ElKPuozBa4pUrQx5P/n552n1A0k /H51aG3xaWu/aCDyU4lly3NhCHcwOrRBa3mVZyNnPA40+bNnHYx1yxzvYs0gEly2n2gl 2lHsZNcx2YTgVRc/X1Pi+I4oGv7DsPP0V+78XgVzofPiP+QJE/4HsqzLKzTRSE1pql08 uQ2A==
MIME-Version:	1.0
References:	<CANSoFxtW0Jb1M5KfkFGGOxec_D8ysyYCrnk_PXWjHobLDXZauQ AT mail DOT gmail DOT com> <1a840c2e-55ac-0ab4-66c4-a1f6a2c4f81a AT Shaw DOT ca> <CANSoFxtA0vnF1adx4rwyjuMasrVAOGb8hT_Uct-wSdcazj252w AT mail DOT gmail DOT com> <41f12842-ea43-ff63-a660-26ee3b497c63 AT SystematicSw DOT ab DOT ca> <CANSoFxtLzGgcOhrsu4h0eXXnpezB6v17cGwOrqy6SjSvJ__gLA AT mail DOT gmail DOT com> <1b570593-0ec7-0890-26ef-7e7468534f47 AT SystematicSw DOT ab DOT ca> <CANSoFxsq+5OfRH7RF3QdpMSJU-4JAKSCZM-rUUysP5Y3myR0+Q AT mail DOT gmail DOT com> <CAD8GWsu+P_d8RCiibkZ068oRAf8yeu=W5CLFO+ZNXGxjUcBOpw AT mail DOT gmail DOT com>
In-Reply-To:	<CAD8GWsu+P_d8RCiibkZ068oRAf8yeu=W5CLFO+ZNXGxjUcBOpw@mail.gmail.com>
From:	Archie Cobbs <archie DOT cobbs AT gmail DOT com>
Date:	Tue, 12 Mar 2019 08:47:36 -0500
Message-ID:	<CANSoFxu7sNUqP3zSKHiFULBrvOkhPFRuc8MyAHojAGFNu-O_xQ@mail.gmail.com>
Subject:	Re: SSL not required for setup.exe download
To:	cygwin AT cygwin DOT com
X-IsSubscribed:	yes