[LEDE-DEV] OPKG Encryption
Jaap Buurman
jaapbuurman at gmail.com
Tue Apr 17 01:03:10 PDT 2018
Hello all,
Today I discovered that pulling packages from the feeds is done over
http by default instead of https. I understand it is always going to
be a trade-off between space requirements and features/security.
However, pulling in packages over an unencrypted connection will allow
for easy manipulation of the package's contents via a MITM attack. For
a router that is going to run these packages, that stands between all
your devices and the big bad internet that is an unacceptable
trade-off in my opinion.
The fix itself is quite easy and involves changing the lines in
/etc/opkg/distfeeds.conf to https versions. Additionally, a package
that can download over https such as wget + ca-certicates is needed.
However, as you might already see, to fix this vulnerability you need
to use the vulnerable component to install these packages. Or you need
to pull in the packages via your computer, ssh it over to your router
and install it manually. Or you need to compile these packages in.
For the majority of the people they will not even be aware of this
vulnerability, let alone know how to fix this in a safe way. I'd like
to discuss whether it would be a good idea to make downloading over
https via opkg default by changing the distfeed file and including the
required packages. We might even decide to only do this on targets
that are not starved for flash storage. Any opinions regarding this
matter?
Yours sincerely,
Jaap Buurman
More information about the Lede-dev
mailing list