Hi to all,
I see that there is nice discussion about HTTPS, SSL and systime. This
is nice place to interact :)
Even if it sounds like more issues, in fact, there is big issue to
increase security in openwrt.
We are building BESIP images, based on OpenWrt. And we are trying to
solve more problems by our patches:
- DNSSEC support
- HTTPS support
- Certificates support/deploy
- Time synchrinization
- UCI provisioning using secure url
All problems are connected together and security is not achieved, if one
of this item fails. I think that there should be some possibility to
embed enhanced security into OpenWrt. In other case, anybody will use
its own scipts/patches for his scenario. Everything is possible even
with today trunk packages/libraries. But there is not "glue".
Maybe we should focus on it and try to solve it in trunk. Main questions:
- Is it too much code/RAM/CPU/??? to embed all of this things into base
system? (cleanest way)
- Would it break many boxes because of HW requirements?
- Is it possible to make some package like "openwrt-security" which
would install all of this things?
- If somebody wants security, it is enough to use "openwrt-security"
package (embeded or opkg)
"openwrt-security" should:
- take care about systime at right time (very good solution is to use
file time of CAs if system time is not available)
- take care about basic CA setup (yes, this is probably most complicated
part. Which CA? How to deploy them secure?)
- take care about required libraries and applications to be secure and
to use this technologies
Maybe we do not need DNSSEC if we use HTTPS (we use unbound-host for
queries in script), but it would be very nice to use it too.
It would be great to make some discussion about this and find some
solution. I know that we should look into security from OpenWrt side
(opkg over https, sysupgrade over https,..) and client security (DNSSEC
support, DNSSEC proxy support,..).
Did I miss something?
Thank you,
Lukas Macura
Dne 2.1.2014 09:26, David Lang napsal(a):
On Thu, 2 Jan 2014, Peter Lawler wrote:
On 01/01/14 23:11, Weedy wrote:
If this really bothers you, you build from source. And vet the
source code
before building images.
This is what I do for my clients.
Someone also mentioned this approach on the trac issue[0], so I'll use
same comments here as well. No offence meant by not personalising it :)
---
Someone asked me earlier today about how a 'self built' approach
alleviates the chicken and egg problem of the compiler[1]
why should you trust the compiler used by the project more than the
compiler on your system?
In any case, don't the people you are trying to defend against have
the power to forge SSL certs as well? (by being able to get some CA
that your system trusts to sign a cert that they control) so even if
you downloaded via HTTPS they could still mitm your download.
I would suggest that you turn your concerns closer to home. How do you
know they haven't put malware on your hard drive the way that this
page shows can be done? http://spritesmods.com/?art=hddhack
not to mention the possibility of your smartphone being hacked by it's
charger, and then being used to hack the rest of your system.
There are so many ways in that modifying the source code you download
in a way that will still compile on a project that changes as rapidly
as openwrt is a very daunting task, and you should expect that they
have far better uses of their time.
David Lang
At minimum, I'd suggest maybe it'd be a better usage of
infrastructure/development time for OpenWRT to consider
reproducible/deterministic binaries[2][3] or am I showing my ignorance
of current practice of OpenWRT?
Cheers,
Pete.
[0] https://dev.openwrt.org/ticket/13346#comment:6
[1] http://cm.bell-labs.com/who/ken/trust.html
[2] https://wiki.debian.org/ReproducibleBuilds
[3]
https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-global-compromise
_______________________________________________
openwrt-devel mailing list
[email protected]
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
_______________________________________________
openwrt-devel mailing list
[email protected]
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
_______________________________________________
openwrt-devel mailing list
[email protected]
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
