SSL not required for setup.exe download

L A Walsh cygwin@tlinx.org
Sun Mar 10 23:20:00 GMT 2019 

On 3/10/2019 7:16 AM, Brian Inglis wrote:
> On 2019年03月09日 21:54, Archie Cobbs wrote:
>> It would be safer if http://www.cygwin.com always redirected you to
>> https://www.cygwin.com, where the page and the link are SSL.
>> Is there any reason not to force this redirect and close this security hole?
>>----
 I think the point is that if you redirect and a client can't
speak https, what happens? Wouldn't they get an error that would
prevent them from using the site?
 Google has a vested interest in getting people locked in on
https -- makes it much harder for people to use proxies and lower
their requests to google and for them to block some requests. They get
to control what you get -- not you.
>> The whole sourceware.org site include cygwin.com uses HSTS which compliant
> supporting clients can use to switch to communicating over HTTPS.
> Clients which are not compliant or don't support HTTPS may still download the
> programs and files.
>>
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple

More information about the Cygwin mailing list

AltStyle によって変換されたページ (->オリジナル) /