#13346: OpenWRT downloads susceptible to MITM attacks?
------------------------------+--------------------------------
Reporter: openwrt-devel@… | Owner:
Type: defect | Status: reopened
Priority: highest | Milestone:
Component: website | Version:
Resolution: | Keywords: MD5 SSL HTTPS MITM
------------------------------+--------------------------------
Changes (by anonymous):
* status: closed => reopened
* resolution: fixed =>
Comment:
Where have this been fixed? The recent trunk snapshots still only have a
list with md5sums in the directory. None SHA checksums. Also its still
possible to download via http and not only via https. When an simple user
enter openwrt.org and then go to downloads, he get by default an http
connection and also download via http. Best here is to disable completely
non-secure connections.
The normal openwrt. org is vulnerable to the OpenSSL CCS vulnerability
(CVE-2014-0224). It also have still RC4 encryption enabled.
https://www.ssllabs.com/ssltest/analyze.html?d=openwrt.org
Also the dev.openwrt.org server is vulnerable to the OpenSSL CCS
vulnerability (CVE-2014-0224). The server is running on an old nginx.
https://www.ssllabs.com/ssltest/analyze.html?d=dev.openwrt.org
--
Ticket URL: <https://dev.openwrt.org/ticket/13346#comment:10>
OpenWrt <http://openwrt.org>
Opensource Wireless Router Technology
_______________________________________________
openwrt-tickets mailing list
[email protected]
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-tickets
