Hacker News new | past | comments | ask | show | jobs | submit login

I installed newest version OpenWRT on a popular brand, recently manufactured wireless router last week.

The OpenWRT firmware couldn't access https sites without installing multiple packages first. Then they had me install all the root certs over an unencrypted connection. The opkg repos and install files are all downloaded over http.

With full seriousness, I really hope nobody expects operational security using these routers.




>The opkg repos and install files are all downloaded over http.

This was a problem because of the bug. But now it isn't one anymore. 'opkg update' updates the package lists. The lists contain information about the packages: name, file size, architecture, description etc., and also the SHA256sum. When you install a package opkg will compare the SHA256sums.


Oof. Well I hope that this episode has a positive outcome in that OpenWRT improve their install and packaging security.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: