<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">John Crispin <span dir="ltr"><<a href="mailto:blogic@openwrt.org" target="_blank">blogic@openwrt.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span class="">Brian Smith wrote:<br>> <a href="https://wiki.openwrt.org/doc/devel/security" rel="noreferrer" target="_blank">https://wiki.openwrt.org/doc/devel/security</a><br>
><br>
> The page is intended to be for OpenWrt developers, people doing custom<br>
> builds, and for people developing products on top of OpenWrt. Obviously,<br>
> I am a OpenWrt newb so I probably got a lot of things wrong and I<br>
> probably left a lot of things out. Any help improving the above page<br>
> would be appreciated.<br>
><br>
<br>
</span>Hi Brian,<br>
<br>
correct me if i am wrong but automatic fw upgrades in the field by<br>
controlled by openwrt is not a security feature but a rather insane<br>
idea. what makes you think that we would even want or consider doing so<br>
?</blockquote><div><br></div><div>John,</div><div><br></div><div>First, thanks for taking the time to read what I wrote on the wiki page.</div><div><br></div><div>IMO, most people would have time justifying the deployment of a SOHO router that doesn't support automatic updates of some fashion, especially now that so many alternatives that do automatically update exist. So, I want to find a way to combine the openness of OpenWrt with the benefits of automatic, silent, updates.</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> i like the fact that you trust me enough to give me full remote root<br>
access to your router and network but common, does that not ring some<br>
alarm bells ?</blockquote><div><br></div><div>In the wiki page, I'd already written:</div><div><br></div><div><span style="color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px;line-height:9.8px;background-color:rgba(255,255,255,0.8)"> Automatic updates rely on cryptographic signatures of the</span></div><div><span style="color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px;line-height:9.8px;background-color:rgba(255,255,255,0.8)"> updates to ensure that the updates are from a trusted source;</span></div><div><span style="color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px;line-height:9.8px;background-color:rgba(255,255,255,0.8)"> i.e. are not malicious. But, in a decentralized project like</span></div><div><span style="color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px;line-height:9.8px;background-color:rgba(255,255,255,0.8)"> OpenWrt, there's no one person that can be trusted with the</span></div><div><span style="color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px;line-height:9.8px;background-color:rgba(255,255,255,0.8)"> signing keys.</span></div><div><span style="color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px;line-height:9.8px;background-color:rgba(255,255,255,0.8)"><br></span></div><div><span style="color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px;line-height:9.8px;background-color:rgba(255,255,255,0.8)">My intent was to express exactly the same idea as you expressed above.</span></div><div><span style="color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px;line-height:9.8px;background-color:rgba(255,255,255,0.8)"><br></span></div><div><div><span style="color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px;line-height:9.8px;background-color:rgba(255,255,255,0.8)">Maybe it would be helpful to break the issue into two parts:</span></div><div><span style="color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px;line-height:9.8px;background-color:rgba(255,255,255,0.8)"><br></span></div><div><span style="color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px;line-height:9.8px;background-color:rgba(255,255,255,0.8)">1. It would be a good idea for OpenWrt to have a framework that makes it easy for vendors building products on top of OpenWrt to enable automatic updates, where the vendor is responsible for building, signing, and distributing the updates. The users have to trust the vendor, but this is no different than today. I know there is nothing crazy or particularly troublesome about this kind of thing, because it has been done many times.</span></div></div><div><span style="color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px;line-height:9.8px;background-color:rgba(255,255,255,0.8)"><br></span></div><div><span style="color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px;line-height:9.8px;background-color:rgba(255,255,255,0.8)">2. It would be a good idea to find a way for people using OpenWrt to automatically update their hardware from OpenWrt-sourced updates. </span><span style="color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px;line-height:9.8px;background-color:rgba(255,255,255,0.8)">On the wiki page, I had also written:</span></div><div><span style="color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px;line-height:9.8px;background-color:rgba(255,255,255,0.8)"><br></span></div><div><span style="color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px;line-height:9.8px;background-color:rgba(255,255,255,0.8)"> [...] Perhaps some kind of voting system for</span></div><div><span style="color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px;line-height:9.8px;background-color:rgba(255,255,255,0.8)"> trustworthiness of updates; such a system would almost</span></div><div><span style="color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px;line-height:9.8px;background-color:rgba(255,255,255,0.8)"> definitely depend on reproducible builds.</span><br></div><div><span style="color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px;line-height:9.8px;background-color:rgba(255,255,255,0.8)"><br></span></div><div><span style="color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px;line-height:9.8px;background-color:rgba(255,255,255,0.8)">Perhaps you are skeptical that we could create a consensus system for making updates sourced directly from OpenWrt safe. It's good to be skeptical of that idea, because it is quite hard. I am very familiar with how hard it is, because when I helped design and implement the automatic update mechanisms for the Firefox web browser and the FirefoxOS phone OS, I ran out of time to document or prototype it. However, I did think about this problem a lot, because so many Firefox users are worried about evil updates, and because I used to work on Firefox's SSL certificate stuff, and IMO distributed consensus mechanisms are the solution to the fundamental brokenness of "the CA system." I still don't have time to prototype my ideas here yet. Even so, I think there's nothing fundamentally wrong with the idea in the abstract. Some deployed examples of such distributed consensus mechanisms include Google's Certificate Transparency support for enhancing SSL certificate security, and Bitcoin. If there are people who have time to prototype this stuff, I would be happy to share my ideas with them.</span></div><div><br></div><div>Thanks again for the feedback. If you or others have more feedback on the content of the wiki page, I would very much appreciate getting it.</div><div><br></div></div><div>Thanks,</div><div>Brian</div>-- <br><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><a href="https://briansmith.org/" target="_blank">https://briansmith.org/</a></div><div><br></div></div></div></div></div></div></div>
</div></div>