|
|
|
|
|
|
by pkgsupplysec
2333 days ago
|
|
|
It's definitely an issue that the sha256 checksum check was broken. But, can someone explain why a person who is MITM'ing ipk downloads would change the package and not the checksum? Are there GPG signatures of the package checksums signed with a key that ships with the release? Are package repos downloaded over HTTPS? Is there a CA bundle in the release with which repo x.509 certs are validated? |
|
|
The OpenWRT firmware couldn't access https sites without installing multiple packages first. Then they had me install all the root certs over an unencrypted connection. The opkg repos and install files are all downloaded over http.
With full seriousness, I really hope nobody expects operational security using these routers.