Mail Archives: cygwin/2019/03/12/10:31:55

www.delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2019/03/12/10:31:55

X-Recipient: archive-cygwin AT delorie DOT com

DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:reply-to:subject:to:references:from:message-id

:date:mime-version:in-reply-to:content-type

:content-transfer-encoding; q=dns; s=default; b=vQ7rnpLLuA9Tja1p

wTjJVpCBop5r6lv5c3eYPjivW5N+1yX22Oeuy0Hfr2NKj3FXtRgJeiJn/nZpOUYw

Ro9DsNNxZoQdgKWkObTQGvc3vhFZAcxPVKLfzFWbSYJtBqiXI/S2D4upkmD4pl0/

ig+lbRC/d+Q6+XIeI3fBL30vMSE=

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:reply-to:subject:to:references:from:message-id

:date:mime-version:in-reply-to:content-type

:content-transfer-encoding; s=default; bh=rFu+K7OBZrmra964JBKpiF

NSHrE=; b=vZ6RLoBW1xZGXyvquZXYxPuOG+xOHNEfK+OGb8E2grxANHLwlsBMFI

imc1PE64V/QSieJ+a8TP27q5sCtjjvyoR5D9W3mtBTqOp6LSk04fD3qGbOUYrosI

JzvIUorc6M5TzPjtcFUVF8vvAZlx5XXlj97DBShQv2kgb5ZdupaWs=

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm

List-Id: <cygwin.cygwin.com>

List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>

List-Archive: <http://sourceware.org/ml/cygwin/>

List-Post: <mailto:cygwin AT cygwin DOT com>

List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>

Sender: cygwin-owner AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

Delivered-To: mailing list cygwin AT cygwin DOT com

Authentication-Results: sourceware.org; auth=none

X-Spam-SWARE-Status: No, score=-0.4 required=5.0 tests=AWL,BAYES_00,EXECUTABLE_URI,KAM_EXEURI,RCVD_IN_DNSWL_LOW autolearn=no version=3.3.1 spammy=burden, attack

X-HELO: smtp-out-so.shaw.ca

Reply-To: Brian DOT Inglis AT SystematicSw DOT ab DOT ca

Subject: Re: SSL not required for setup.exe download

To: cygwin AT cygwin DOT com

References: <CANSoFxtW0Jb1M5KfkFGGOxec_D8ysyYCrnk_PXWjHobLDXZauQ AT mail DOT gmail DOT com> <1a840c2e-55ac-0ab4-66c4-a1f6a2c4f81a AT Shaw DOT ca> <CANSoFxtA0vnF1adx4rwyjuMasrVAOGb8hT_Uct-wSdcazj252w AT mail DOT gmail DOT com> <41f12842-ea43-ff63-a660-26ee3b497c63 AT SystematicSw DOT ab DOT ca> <CANSoFxtLzGgcOhrsu4h0eXXnpezB6v17cGwOrqy6SjSvJ__gLA AT mail DOT gmail DOT com> <1b570593-0ec7-0890-26ef-7e7468534f47 AT SystematicSw DOT ab DOT ca> <CANSoFxsq+5OfRH7RF3QdpMSJU-4JAKSCZM-rUUysP5Y3myR0+Q AT mail DOT gmail DOT com> <CAD8GWsu+P_d8RCiibkZ068oRAf8yeu=W5CLFO+ZNXGxjUcBOpw AT mail DOT gmail DOT com> <CANSoFxu7sNUqP3zSKHiFULBrvOkhPFRuc8MyAHojAGFNu-O_xQ AT mail DOT gmail DOT com>

From: Brian Inglis <Brian DOT Inglis AT SystematicSw DOT ab DOT ca>

Openpgp: preference=signencrypt

Message-ID: <ecebba35-b0d0-b996-8a78-47e0e8d33572@SystematicSw.ab.ca>

Date: Tue, 12 Mar 2019 08:31:38 -0600

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.5.3

MIME-Version: 1.0

In-Reply-To: <CANSoFxu7sNUqP3zSKHiFULBrvOkhPFRuc8MyAHojAGFNu-O_xQ@mail.gmail.com>

X-IsSubscribed: yes

On 2019-03-12 07:47, Archie Cobbs wrote:
> On Mon, Mar 11, 2019 at 6:00 PM Lee wrote:
>>> I must say I'm surprised so many people think it's a good idea to
>>> leave cygwin open to trivial MITM attacks, which is the current state
>>> of affairs.
>> But it's only open to a trivial MITM attack if the user types in
>> "http://cygwin.com" - correct?  Why isn't the fix "don't do that"?
> Because security that rests on assuming humans will always do the
> correct thing has proven to be unreliable (understatement).
>>> This is my opinion only of course, but if cygwin wants to have any
>>> security credibility, it should simply disallow non-SSL downloads of
>>> setup.exe. Otherwise the chain of authenticity is broken forever.
>> They sign setup.exe, so "the chain of authenticity" is there regardless.
>>   https://cygwin.com/setup-x86_64.exe
>>   https://cygwin.com/setup-x86_64.exe.sig
> I don't see your point.
> Downloading the sig file over HTTP is useless... any attacker going to
> the trouble to launch a MITM attack for setup.exe will certainly also
> do it for the sig file as well.
> OTOH, if you download the file over HTTPS..  then your client supports
> SSL. Which is exactly what I'm saying should be mandatory.

Forcing TLS means blocking anyone who for any reason can not use TLS: this is a
performance and support burden compared to allowing both HTTP:80 and HTTPS:443.
Same reasons most ISPs/ASes/orgs don't filter or validate packet source IP
addresses per BCP 38 which would stop most abuses!

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

X-Recipient:	archive-cygwin AT delorie DOT com
DomainKey-Signature:	a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:reply-to:subject:to:references:from:message-id
	:date:mime-version:in-reply-to:content-type
	:content-transfer-encoding; q=dns; s=default; b=vQ7rnpLLuA9Tja1p
	wTjJVpCBop5r6lv5c3eYPjivW5N+1yX22Oeuy0Hfr2NKj3FXtRgJeiJn/nZpOUYw
	Ro9DsNNxZoQdgKWkObTQGvc3vhFZAcxPVKLfzFWbSYJtBqiXI/S2D4upkmD4pl0/
	ig+lbRC/d+Q6+XIeI3fBL30vMSE=
DKIM-Signature:	v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:reply-to:subject:to:references:from:message-id
	:date:mime-version:in-reply-to:content-type
	:content-transfer-encoding; s=default; bh=rFu+K7OBZrmra964JBKpiF
	NSHrE=; b=vZ6RLoBW1xZGXyvquZXYxPuOG+xOHNEfK+OGb8E2grxANHLwlsBMFI
	imc1PE64V/QSieJ+a8TP27q5sCtjjvyoR5D9W3mtBTqOp6LSk04fD3qGbOUYrosI
	JzvIUorc6M5TzPjtcFUVF8vvAZlx5XXlj97DBShQv2kgb5ZdupaWs=
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
Authentication-Results:	sourceware.org; auth=none
X-Spam-SWARE-Status:	No, score=-0.4 required=5.0 tests=AWL,BAYES_00,EXECUTABLE_URI,KAM_EXEURI,RCVD_IN_DNSWL_LOW autolearn=no version=3.3.1 spammy=burden, attack
X-HELO:	smtp-out-so.shaw.ca
Reply-To:	Brian DOT Inglis AT SystematicSw DOT ab DOT ca
Subject:	Re: SSL not required for setup.exe download
To:	cygwin AT cygwin DOT com
References:	<CANSoFxtW0Jb1M5KfkFGGOxec_D8ysyYCrnk_PXWjHobLDXZauQ AT mail DOT gmail DOT com> <1a840c2e-55ac-0ab4-66c4-a1f6a2c4f81a AT Shaw DOT ca> <CANSoFxtA0vnF1adx4rwyjuMasrVAOGb8hT_Uct-wSdcazj252w AT mail DOT gmail DOT com> <41f12842-ea43-ff63-a660-26ee3b497c63 AT SystematicSw DOT ab DOT ca> <CANSoFxtLzGgcOhrsu4h0eXXnpezB6v17cGwOrqy6SjSvJ__gLA AT mail DOT gmail DOT com> <1b570593-0ec7-0890-26ef-7e7468534f47 AT SystematicSw DOT ab DOT ca> <CANSoFxsq+5OfRH7RF3QdpMSJU-4JAKSCZM-rUUysP5Y3myR0+Q AT mail DOT gmail DOT com> <CAD8GWsu+P_d8RCiibkZ068oRAf8yeu=W5CLFO+ZNXGxjUcBOpw AT mail DOT gmail DOT com> <CANSoFxu7sNUqP3zSKHiFULBrvOkhPFRuc8MyAHojAGFNu-O_xQ AT mail DOT gmail DOT com>
From:	Brian Inglis <Brian DOT Inglis AT SystematicSw DOT ab DOT ca>
Openpgp:	preference=signencrypt
Message-ID:	<ecebba35-b0d0-b996-8a78-47e0e8d33572@SystematicSw.ab.ca>
Date:	Tue, 12 Mar 2019 08:31:38 -0600
User-Agent:	Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.5.3
MIME-Version:	1.0
In-Reply-To:	<CANSoFxu7sNUqP3zSKHiFULBrvOkhPFRuc8MyAHojAGFNu-O_xQ@mail.gmail.com>
X-IsSubscribed:	yes