This is the mail archive of the cygwin mailing list for the Cygwin project.
Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
---|---|---|
Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |
Other format: | [Raw text] |
On Feb 26 17:31, David A. Wheeler wrote: > The Cygwin front web page ( https://www.cygwin.com/ ) says: > "Install it by running setup-x86.exe (32-bit installation) or > setup-x86_64.exe (64-bit installation)." > > However, both of the links to those .exe executables explicitly use > "http://", and not "https://", even when you go to the https version > of the Cygwin website. This use of http: enables a man-in-the-middle > attack on anyone trying to download the Cygwin installer. In > particular, a man-in-the-middle could maliciously modify the .exe, and > there are many programs that can automatically insert malicious code > into a Windows .exe file. Did you notice that you're automatically redirected to https? > Please fix those links to use "https:", and not "http:". > > You might also want to enable "HTTP Strict Transport Security" (HSTS) > on the Cygwin website. That's not for us to say. We're user of the site, not admins. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat
Attachment:
pgpT5OS14XGLL.pgp
Description: PGP signature
Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
---|---|---|
Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |