On 10/25/22 17:25, Reuben Dowle wrote:
I have myself gone through the process of getting an openwrt based product
through a security audit.
The issue of HTTP listening on all interfaces also came up in my audit, but the
auditors were happy with the explanation that the firewall prevented any access
through the WAN interface. If the people auditing your system are only
interested in security 'theatre', then that is really a poor quality/incompetent
audit process.
Well, I agree. For clarity, years ago I had been through reviews with both
Microsoft and Intel, with some combination of Ubuntu/OpenWrt, so had some
expectation here. Those reviews turned up their share of nonsense, but things
have changed I guess.
My hands are tied, we gotta do the dance.
That said, I think that limiting the listening ports of uhttpd is a good idea. I
hardly see any downside to it, apart from maybe adding some complexity.
I think adding complexity here is a pretty good argument against this.
Certainly. But failing an official fix, I'm left to a workaround of my own
devising, which is unlikely to be robust in the short term, but will have to do
- unless someone has other suggestions.
To be clear to everyone here - I appreciate the feedback, and likely agree with
everything that's been said - I've been doing this as long as you guys, so
I know the ins and outs, but I think the conversation is still worth having.
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
