[LEDE-DEV] OPKG Encryption
Jaap Buurman
jaapbuurman at gmail.com
Tue Apr 17 01:31:22 PDT 2018
Dear Sven,
I wasn't aware of signature checking and hence I agree with yours and
Jo-Philipp's sentiment that this would be a bad idea. Please disregard
my suggestion. Thank you very much for teaching me about the signature
verification system.
Yours sincerely,
Jaap Buurman
On Tue, Apr 17, 2018 at 10:27 AM, Sven Eckelmann
<sven.eckelmann at openmesh.com> wrote:
> On Dienstag, 17. April 2018 10:03:10 CEST Jaap Buurman wrote:
>> Hello all,
>>
>> Today I discovered that pulling packages from the feeds is done over
>> http by default instead of https. I understand it is always going to
>> be a trade-off between space requirements and features/security.
>> However, pulling in packages over an unencrypted connection will allow
>> for easy manipulation of the package's contents via a MITM attack. For
>> a router that is going to run these packages, that stands between all
>> your devices and the big bad internet that is an unacceptable
>> trade-off in my opinion.
> [...]
>
> Are you aware of the Packages signature [1] and the sha256sums in the Packages
> file? opkg is checking the signature [3] when the Packages file is downloaded.
> The sha256sum is checked after the package was downloaded and before it was
> installed [4]
>
> Kind regards,
> Sven
>
>
> [1] https://downloads.openwrt.org/releases/17.01.4/targets/ar71xx/generic/packages/Packages.sig
> [2] https://downloads.openwrt.org/releases/17.01.4/targets/ar71xx/generic/packages/Packages
> [3] https://git.openwrt.org/?p=project/opkg-lede.git;a=blob;f=libopkg/opkg_cmd.c;h=c823df8b6006bffa2516443fab3718cd112ae3b3;hb=3b417b9f41b4ceb5912d82f867dd5534e5675b5c#l170
> [4] https://git.openwrt.org/?p=project/opkg-lede.git;a=blob;f=libopkg/opkg_install.c;h=e6f8a1b6276ede518a5c59b2f9347f1de8e5dd7a;hb=3b417b9f41b4ceb5912d82f867dd5534e5675b5c#l1386
More information about the Lede-dev
mailing list