Hello, Is it possible to download OpenWrt binaries over HTTPS? If not, which seems to be the case, I want to suggest that HTTPS for downloads is needed. The HTTP downloads are at risk of man-in-the-middle attacks. For instance, compromised binaries could be supplied in response to HTTP download requests. Also, downloads could be eavesdropped to learn the hardware of a downloader, which increases the risk of the downloader to targeted attack.
If this seems like a paranoid concern, it was reported a few days ago that the NSA is building a network of hacked routers across the globe as part of its QFIRE program [1]. Given the general state of consumer router security, it seems unlikely that intelligence agencies are targeting specifically OpenWrt downloads, but we know both that routers are a target and that HTTP downloads are a vulnerability, which amounts to a real risk for OpenWrt users. A Trac ticket from April exists for HTTPS downloads, but it has not gotten much attention [2]. [1] http://cryptome.org/2013/12/appelbaum-30c3.pdf, slide 18 [2] https://dev.openwrt.org/ticket/13346 Thanks, iyCXLONo _______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
