[LEDE-DEV] OPKG Encryption

[Jo-Philipp Wich]

Hello,

> Today I discovered that pulling packages from the feeds is done over 
> http by default instead of https. I understand it is always going to 
> be a trade-off between space requirements and features/security. 
> However, pulling in packages over an unencrypted connection will
> allow for easy manipulation of the package's contents via a MITM
> attack.

the package integrity is verified using SHA256 check sums, the checksum
file (the package index) integrity itself is verified using ed25519
based signature verification using pre-shipped public keys embedded into
the firmware images.

In order to perform a MITM, you'd need to either forge the Package index
in transit without breaking the signature verification or manage to
produce an SHA256 collision with arbitrary contents.

Opkg, by default, refuses to use downloaded package indexes that cannot
be verified.

> For a router that is going to run these packages, that stands between
> all your devices and the big bad internet that is an unacceptable 
> trade-off in my opinion.

Hence the signature based integrity verification.

> The fix itself is quite easy and involves changing the lines in 
> /etc/opkg/distfeeds.conf to https versions. Additionally, a package 
> that can download over https such as wget + ca-certicates is needed.

To match the security of the current signature system you would also
need to disallow all server certs except the one actually used by
*.openwrt.org / *.lede-project.org.

As history has shown, many pre-trusted CAs tend to have questionable
security practices.

> However, as you might already see, to fix this vulnerability you
> need to use the vulnerable component to install these packages. Or
> you need to pull in the packages via your computer, ssh it over to
> your router and install it manually. Or you need to compile these
> packages in.

Or use the existing signature verification.

> For the majority of the people they will not even be aware of this 
> vulnerability, let alone know how to fix this in a safe way. I'd
> like to discuss whether it would be a good idea to make downloading
> over https via opkg default by changing the distfeed file and
> including the required packages.

Given that the download integrity already is secured using checksums +
signed checksum files and that a "trust any HTTPS" model would actually
lower the security while requiring considerably more space, I strongly
object.

> We might even decide to only do this on targets that are not starved
> for flash storage. Any opinions regarding this matter?

Which would lead to even more confusion and a false sense of security.


~ Jo