It could be a fallback, with a red big warning to manually check the certs are alright when you need it (e.g too long without synching your root certificates package). But for most cases there is no excuse not having it local at all times.
I mean MITM a domain essential for the "distro" should be at least just a little bit harder than regular MITM.
Don't get me started on authoritative DNS security.
But, can someone explain why a person who is MITM'ing ipk downloads would change the package and not the checksum?
Are there GPG signatures of the package checksums signed with a key that ships with the release?
Are package repos downloaded over HTTPS? Is there a CA bundle in the release with which repo x.509 certs are validated?
The OpenWRT firmware couldn't access https sites without installing multiple packages first. Then they had me install all the root certs over an unencrypted connection. The opkg repos and install files are all downloaded over http.
With full seriousness, I really hope nobody expects operational security using these routers.
This was a problem because of the bug. But now it isn't one anymore. 'opkg update' updates the package lists. The lists contain information about the packages: name, file size, architecture, description etc., and also the SHA256sum. When you install a package opkg will compare the SHA256sums.
Firmware releases are also signed with GPG:
Actually, using a DNS server serving the wrong IP for downloads.openwrt.org will have the same effect.
Yes, pretty much.
I forget which ARM chip it ships with, but it’s capable of pushing almost 200Mbps on WireGuard, and it’s a significant bargain over the Linksys. Its antennas probably won’t cover same distance as the Linksys though—that works in my small apartment or if you use a couple of them in a mesh network. For a bigger house and if you like to keep things simple, the Linksys or the Turris are probably the best options.
My PC with an Intel Wireless-AC 9260 has the following network connection, reported by the OpenWRT interface: "400.0 Mbit/s, 40MHz, VHT-MCS 9, VHT-NSS 2, Short GI 400.0 Mbit/s, 40MHz, VHT-MCS 9, VHT-NSS 2, Short GI"
My work 2018 Macbook Pro gets the following: "540.0 Mbit/s, 40MHz, VHT-MCS 9, VHT-NSS 3 600.0 Mbit/s, 40MHz, VHT-MCS 9, VHT-NSS 3, Short GI"
Mine and my wife's LG V40 Android phones get this reported speed: "400.0 Mbit/s, 40MHz, VHT-MCS 9, VHT-NSS 2, Short GI 6.0 Mbit/s, 40MHz"
Not sure if there's any extra information I can provide. I'm not affiliated with Linksys.
If you care about performance rather than open source purity tests, Asus RT-AX88U is the way to go.
Most OpenWRT ports don't offload the LAN/WAN routing, and doing it on a lowly ARM CPU often effectively limits this to a few hundred megabits - e.g. 150mbps on my WDR4300 (which does manage 800Mbps for the same task with the original closed firmware which does do some hardware offloading)
Know some people who use them for a bridged setup over ac standard. No issues there as well.
I can't believe someone messed up something so simple! ( Sarcasm )
There HAS to be a better way lmao
That said, perhaps it's just too early in the morning but I don't think that commit introduced the error. The math/logic looks to be identical and I think the bug is `line + strlen("SHA256sum") + 1` which was already there before and doesn't increment past any spaces which might come after the (implied I guess?) colon. Though considering the colon isn't checked for in `SHA256sum`, you could put any character there and it'll work. Yay...
To update the opkg package itself without upgrading the entire firmware, the following commands may be used once all repositories have been updated:
opkg download opkg
zcat ./opkg-lists/openwrt_base | grep -A10 "Package: opkg" | grep SHA256sum
opkg install ./opkg_2020-01-25-c09fe209-1_*.ipk
> Compare both checksums and, if matching, proceed with installing the package