Hi Jaap,
On Tue, Apr 17, 2018 at 10:03:10AM +0200, Jaap Buurman wrote:
> Hello all,
>
> Today I discovered that pulling packages from the feeds is done over
> http by default instead of https. I understand it is always going to
> be a trade-off between space requirements and features/security.
> However, pulling in packages over an unencrypted connection will allow
> for easy manipulation of the package's contents via a MITM attack. For
> a router that is going to run these packages, that stands between all
> your devices and the big bad internet that is an unacceptable
> trade-off in my opinion.
You haven't looked closely enough.
OpenWrt uses it's own signature verification tool 'usign' to make
sure the package lists are signed by a trusted key (found in
/etc/opkg/keys). The lists contains hashes for each package, so
it's integrity can be verified based on public keys shipped with
the build at a very low overhead (usign is by magnitudes smaller
than a full TLS stack plus CA certificates).
>
> The fix itself is quite easy and involves changing the lines in
> /etc/opkg/distfeeds.conf to https versions. Additionally, a package
> that can download over https such as wget + ca-certicates is needed.
> However, as you might already see, to fix this vulnerability you need
> to use the vulnerable component to install these packages. Or you need
> to pull in the packages via your computer, ssh it over to your router
> and install it manually. Or you need to compile these packages in.
Even if you wanted to use TLS, you'd only need to install
one of libustream-{mbedtls,openssl,wolfssl} and ca-certificates,
no need to swap all of wget (ie. uclient-fetch) with the
original bloat-version of the tool. Yet, that'd cost several
hundred kilobytes which we simply don't have on small devices.
>
> For the majority of the people they will not even be aware of this
> vulnerability, let alone know how to fix this in a safe way. I'd like
> to discuss whether it would be a good idea to make downloading over
> https via opkg default by changing the distfeed file and including the
> required packages. We might even decide to only do this on targets
> that are not starved for flash storage. Any opinions regarding this
> matter?
Please take a look at usign and how we do verify package downloads,
if you feel anything there allows for MitM or other types of
security problems, please get back to us.
Cheers
Daniel
_______________________________________________
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev
