[LEDE-DEV] OPKG Encryption
Jaap Buurman
jaapbuurman at gmail.com
Tue Apr 17 01:26:35 PDT 2018
Dear Alberto Bursi,
I did not know about signature verification. I agree that there are no
secrets to hide and hence signature verification should be sufficient
to avoid tampering. Thank you very much for your reassurance.
Yours sincerely,
Jaap Buurman
On Tue, Apr 17, 2018 at 10:13 AM, Alberto Bursi
<bobafetthotmail at gmail.com> wrote:
>
>
> On 17/04/2018 10:03, Jaap Buurman wrote:
>>
>> Hello all,
>>
>> Today I discovered that pulling packages from the feeds is done over
>> http by default instead of https.
>
>
> Just like many other distros (like say Debian that provides either http or
> ftp mirrors) the packages themselves are signed and checked by opkg on
> installation, so any MITM tampering will be detected and the package will
> not be installed. There is no need to send packages over https as there are
> no secrets being sent over, signatures are enough if you just need to avoid
> tampering and MITM.
> See wiki for details
>
> https://openwrt.org/docs/guide-user/security/security-features
>
> https://openwrt.org/docs/guide-user/security/release_signatures
>
> -Alberto
More information about the Lede-dev
mailing list