Hi ----- Mail original ----- > De: "Weedy" <[email protected]> > À: "OpenWrt Development List" <[email protected]> > Envoyé: Mercredi 1 Janvier 2014 13:11:08 > Objet: Re: [OpenWrt-Devel] HTTPS for binaries > > If this really bothers you, you build from source. And vet the source > code before building images. > > This is what I do for my clients. > On 1 Jan 2014 05:24, "iyCXLONo mVUTxeyv" < [email protected] > > wrote: > > > Hello, > > Is it possible to download OpenWrt binaries over HTTPS? If not, which > seems to be the case, I want to suggest that HTTPS for downloads is > needed. The HTTP downloads are at risk of man-in-the-middle attacks. > For instance, compromised binaries could be supplied in response to > HTTP download requests. Also, downloads could be eavesdropped to > learn the hardware of a downloader, which increases the risk of the > downloader to targeted attack. > > If this seems like a paranoid concern, it was reported a few days ago > that the NSA is building a network of hacked routers across the > globe as part of its QFIRE program [1]. Given the general state of > consumer router security, it seems unlikely that intelligence > agencies are targeting specifically OpenWrt downloads, but we know > both that routers are a target and that HTTP downloads are a > vulnerability, which amounts to a real risk for OpenWrt users. > > A Trac ticket from April exists for HTTPS downloads, but it has not > gotten much attention [2]. > > [1] http://cryptome.org/2013/12/appelbaum-30c3.pdf , slide 18 > [2] https://dev.openwrt.org/ticket/13346 > > Thanks, > iyCXLONo
You can now (3 month ago) sign Packages.gz (Packages.sig, signed with smime) so that opkg can verify it, and then verify the packages with sha256. I don't know why smime was chosen over gpg (all distros are using gpg)? https://dev.openwrt.org/changeset/38220 https://dev.openwrt.org/changeset/38284 https://dev.openwrt.org/changeset/38302 https://dev.openwrt.org/changeset/38390 For now the buildbot doesn't seems to be configured to do sign anything. Maybe we should sign md5sums (or sha256sums) file with gpg or smime so we can verify it. Also the public key could be commited in openwrt repo. https is easy to add, but it's only connections security, in case of server break-in, you still don't know what you're downloading over https. it's also a problem to setup mirrors. Regards, Etienne _______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
