Hello all, Today I discovered that pulling packages from the feeds is done over http by default instead of https. I understand it is always going to be a trade-off between space requirements and features/security. However, pulling in packages over an unencrypted connection will allow for easy manipulation of the package's contents via a MITM attack. For a router that is going to run these packages, that stands between all your devices and the big bad internet that is an unacceptable trade-off in my opinion.
The fix itself is quite easy and involves changing the lines in /etc/opkg/distfeeds.conf to https versions. Additionally, a package that can download over https such as wget + ca-certicates is needed. However, as you might already see, to fix this vulnerability you need to use the vulnerable component to install these packages. Or you need to pull in the packages via your computer, ssh it over to your router and install it manually. Or you need to compile these packages in. For the majority of the people they will not even be aware of this vulnerability, let alone know how to fix this in a safe way. I'd like to discuss whether it would be a good idea to make downloading over https via opkg default by changing the distfeed file and including the required packages. We might even decide to only do this on targets that are not starved for flash storage. Any opinions regarding this matter? Yours sincerely, Jaap Buurman _______________________________________________ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
