[LEDE-DEV] OPKG Encryption
Sven Eckelmann
sven.eckelmann at openmesh.com
Tue Apr 17 01:27:42 PDT 2018
On Dienstag, 17. April 2018 10:03:10 CEST Jaap Buurman wrote:
> Hello all,
>
> Today I discovered that pulling packages from the feeds is done over
> http by default instead of https. I understand it is always going to
> be a trade-off between space requirements and features/security.
> However, pulling in packages over an unencrypted connection will allow
> for easy manipulation of the package's contents via a MITM attack. For
> a router that is going to run these packages, that stands between all
> your devices and the big bad internet that is an unacceptable
> trade-off in my opinion.
[...]
Are you aware of the Packages signature [1] and the sha256sums in the Packages
file? opkg is checking the signature [3] when the Packages file is downloaded.
The sha256sum is checked after the package was downloaded and before it was
installed [4]
Kind regards,
Sven
[1] https://downloads.openwrt.org/releases/17.01.4/targets/ar71xx/generic/packages/Packages.sig
[2] https://downloads.openwrt.org/releases/17.01.4/targets/ar71xx/generic/packages/Packages
[3] https://git.openwrt.org/?p=project/opkg-lede.git;a=blob;f=libopkg/opkg_cmd.c;h=c823df8b6006bffa2516443fab3718cd112ae3b3;hb=3b417b9f41b4ceb5912d82f867dd5534e5675b5c#l170
[4] https://git.openwrt.org/?p=project/opkg-lede.git;a=blob;f=libopkg/opkg_install.c;h=e6f8a1b6276ede518a5c59b2f9347f1de8e5dd7a;hb=3b417b9f41b4ceb5912d82f867dd5534e5675b5c#l1386
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.infradead.org/pipermail/lede-dev/attachments/20180417/cb486b9c/attachment.sig>
More information about the Lede-dev
mailing list