David A. Wheeler
2015-03-11 14:35:09 UTC
Currently Cygwin-ports has problems countering man-in-the-middle (MITM) attacks when it installs/updates software.
The good news is that this is easy to fix.
Problem 1: The GPG key isn't acquired in some authenticated way.
Currently, users get the key by viewing http://cygwinports.org/
and downloading the GPG key using http. That's vulnerable to MITM.
The obvious solution, now used by Cygwin itself, is to switch cygwinports.org
to use https. ideally it'd be https-only, using HSTS, like Cygwin itself.
Problem 2: Currently MD5 is used as the hash function in the setup.ini files.
The current Cygwin installer now supports SHA-512, and Cygwin intends to
switch to SHA-512 soon in its setup.ini file. I recommend the same things
happen in cygwin-ports.
Thanks!
--- David A. Wheeler
The good news is that this is easy to fix.
Problem 1: The GPG key isn't acquired in some authenticated way.
Currently, users get the key by viewing http://cygwinports.org/
and downloading the GPG key using http. That's vulnerable to MITM.
The obvious solution, now used by Cygwin itself, is to switch cygwinports.org
to use https. ideally it'd be https-only, using HSTS, like Cygwin itself.
Problem 2: Currently MD5 is used as the hash function in the setup.ini files.
The current Cygwin installer now supports SHA-512, and Cygwin intends to
switch to SHA-512 soon in its setup.ini file. I recommend the same things
happen in cygwin-ports.
Thanks!
--- David A. Wheeler