On Dienstag, 17. April 2018 10:03:10 CEST Jaap Buurman wrote: > Hello all, > > Today I discovered that pulling packages from the feeds is done over > http by default instead of https. I understand it is always going to > be a trade-off between space requirements and features/security. > However, pulling in packages over an unencrypted connection will allow > for easy manipulation of the package's contents via a MITM attack. For > a router that is going to run these packages, that stands between all > your devices and the big bad internet that is an unacceptable > trade-off in my opinion. [...]
Are you aware of the Packages signature [1] and the sha256sums in the Packages
file? opkg is checking the signature [3] when the Packages file is downloaded.
The sha256sum is checked after the package was downloaded and before it was
installed [4]
Kind regards,
Sven
[1]
https://downloads.openwrt.org/releases/17.01.4/targets/ar71xx/generic/packages/Packages.sig
[2]
https://downloads.openwrt.org/releases/17.01.4/targets/ar71xx/generic/packages/Packages
[3]
https://git.openwrt.org/?p=project/opkg-lede.git;a=blob;f=libopkg/opkg_cmd.c;h=c823df8b6006bffa2516443fab3718cd112ae3b3;hb=3b417b9f41b4ceb5912d82f867dd5534e5675b5c#l170
[4]
https://git.openwrt.org/?p=project/opkg-lede.git;a=blob;f=libopkg/opkg_install.c;h=e6f8a1b6276ede518a5c59b2f9347f1de8e5dd7a;hb=3b417b9f41b4ceb5912d82f867dd5534e5675b5c#l1386
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
