Jump to content


Photo

Package signatures and download security

security opkg https

  • Please log in to reply
10 replies to this topic

#1 David85

  • Member
  • 15 posts

0
Neutral

Posted 29 October 2018 - 01:43

Looks like downloads on https://openpli.org/download/ as well as downloads performed by opkg are done via HTTP (without SSL/TLS).

 

Are the opkg packages signed and is signature verification enforced?

 

Are there any plans for release (flashable) downloads over HTTPS and/or putting hashes/signatures of the releases available via HTTPS?



Re: Package signatures and download security #2 WanWizard

  • PLi® Core member
  • 70,480 posts

+1,810
Excellent

Posted 29 October 2018 - 13:45

Yes, implementing SSL for downloading files is a waste of resources. And no, there are no plans to implement it, it means (with our download volume) quite a substantial hardware investment.

 

What is it that you want to achieve, i.e. what are you afraid of ?

 

afaik opkg doesn't support any signing, so that isn't going to happen anyway.


Currently in use: VU+ Duo 4K (2xFBC S2), VU+ Solo 4K (1xFBC S2), uClan Usytm 4K Ultimate (S2+T2), Octagon SF8008 (S2+T2), Zgemma H9.2H (S2+T2)

Due to my bad health, I will not be very active at times and may be slow to respond. I will not read the forum or PM on a regular basis.

Many answers to your question can be found in our new and improved wiki.


Re: Package signatures and download security #3 Erik Slagter

  • PLi® Core member
  • 46,969 posts

+541
Excellent

Posted 29 October 2018 - 19:15

If TS is worried that much, he should build it's own PLi based image...


* Wavefrontier T90 with 28E/23E/19E/13E via SCR switches 2 x 2 x 6 user bands
I don't read PM -> if you have something to ask or to report, do it in the forum so others can benefit. I don't take freelance jobs.
Ik lees geen PM -> als je iets te vragen of te melden hebt, doe het op het forum, zodat anderen er ook wat aan hebben.


Re: Package signatures and download security #4 David85

  • Member
  • 15 posts

0
Neutral

Posted 29 October 2018 - 22:50

AFAIK opkg supports GPG based signing:

https://stackoverflow.com/a/39972015

http://wiki.openmoko.org/wiki/Opkg

https://groups.googl...Zsk4/discussion

 

The goal of HTTPS or signatures is malware prevention. It is extremely easy to "reroute" traffic in metro ethernet networks (so in larger networks there usually are "naughty" neighbors who hijack traffic, steal HTTP passwords/cookies and infect HTTP downloads, though usually Windows executables are the files getting infected).
Also it might be feasible for some botnet operators to infect OpenPLi distribution network (either by compromising download servers, or by some DNS hijack etc.). Of course HTTPS wouldn't help much in this case, but GPG signatures could/would (assuming signing buildservers aren't compromised). Also GPG signatures for flashable builds could help in this case.



Re: Package signatures and download security #5 WanWizard

  • PLi® Core member
  • 70,480 posts

+1,810
Excellent

Posted 29 October 2018 - 23:11

There is nothing to steal, so in-transit protection isn't required. And if our distribution network is compromised, that means the secure datacenter of our hosting company is compromised (we use a corporate hosting environment, not direct internet attached servers or VPSses), in which case not having TLS in transit is the least of our worries.

 

If GPG signing is enabled, you immediately block all other people of buidling an image from our source, and you immediately block creation of packages by third parties, as obviously we would keep our private key secret. So while that is a possibility, it is complex and has a lot of downsides, it is not something one would implement on a whim...


Currently in use: VU+ Duo 4K (2xFBC S2), VU+ Solo 4K (1xFBC S2), uClan Usytm 4K Ultimate (S2+T2), Octagon SF8008 (S2+T2), Zgemma H9.2H (S2+T2)

Due to my bad health, I will not be very active at times and may be slow to respond. I will not read the forum or PM on a regular basis.

Many answers to your question can be found in our new and improved wiki.


Re: Package signatures and download security #6 littlesat

  • PLi® Core member
  • 57,152 posts

+698
Excellent

Posted 30 October 2018 - 00:26

Never heard about the man in the middle attack...?

Edited by littlesat, 30 October 2018 - 00:26.

WaveFrontier 28.2E | 23.5E | 19.2E | 16E | 13E | 10/9E | 7E | 5E | 1W | 4/5W | 15W


Re: Package signatures and download security #7 Pr2

  • PLi® Contributor
  • 6,181 posts

+261
Excellent

Posted 30 October 2018 - 09:32

Never heard about the man in the middle attack...?

 

It is a technique that instead of having a true direct client - real server connection, by for exemple cheating the client DNS the traffic is redirected to an hacker server that can inject or intercept traffic between client and server because the connection became:   client - hacker - real server (the hacker is the man in the middle).


NO SUPPORT by PM, it is a forum make your question public so everybody can benefit from the question/answer.
If you think that my answer helps you, you can press the up arrow in bottom right of the answer.

Wanna help with OpenPLi Translation? Please read our Wiki Information for translators

Sat: Hotbird 13.0E, Astra 19.2E, Eutelsat5A 5.0W
VU+ Solo 4K: 2*DVB-S2 + 2*DVB-C/T/T2 (used in DVB-C) & Duo 4K: 2*DVB-S2X + DVB-C (FBC)

AB-Com: PULSe 4K 1*DVB-S2X (+ DVB-C/T/T2)
Edision OS Mio 4K: 1*DVB-S2X + 1*DVB-C/T/T2
 


Re: Package signatures and download security #8 technic

  • Senior Member
  • 81 posts

+9
Neutral

Posted 30 October 2018 - 11:16

Certain ISP like to intercept http connections. I would prefer to have more privacy. Also if router is compromised, and you know how insecure they are, https will protect stb from getting mailware packages.

Sent from my MI 4LTE using Tapatalk

Re: Package signatures and download security #9 Erik Slagter

  • PLi® Core member
  • 46,969 posts

+541
Excellent

Posted 30 October 2018 - 19:09

Certain ISP like to intercept http connections. I would prefer to have more privacy. Also if router is compromised, and you know how insecure they are, https will protect stb from getting mailware packages.

ROFL!!!! Indeed, always make sure your ISP doesn't know what enigma plugins you're downloading!!! :D


Edited by Erik Slagter, 30 October 2018 - 19:09.

* Wavefrontier T90 with 28E/23E/19E/13E via SCR switches 2 x 2 x 6 user bands
I don't read PM -> if you have something to ask or to report, do it in the forum so others can benefit. I don't take freelance jobs.
Ik lees geen PM -> als je iets te vragen of te melden hebt, doe het op het forum, zodat anderen er ook wat aan hebben.


Re: Package signatures and download security #10 technic

  • Senior Member
  • 81 posts

+9
Neutral

Posted 30 October 2018 - 19:14

How about second part of my message.


Sent from my MI 4LTE using Tapatalk

Re: Package signatures and download security #11 Erik Slagter

  • PLi® Core member
  • 46,969 posts

+541
Excellent

Posted 30 October 2018 - 19:48

The chance of your STB getting malware using this route is nihil compared to the chance getting malware because it's reachable over the internet, from outside. As a volunteers based society we don't have the resources to add TLS to the feed downloads, given the amount of traffic the feeds generate.


* Wavefrontier T90 with 28E/23E/19E/13E via SCR switches 2 x 2 x 6 user bands
I don't read PM -> if you have something to ask or to report, do it in the forum so others can benefit. I don't take freelance jobs.
Ik lees geen PM -> als je iets te vragen of te melden hebt, doe het op het forum, zodat anderen er ook wat aan hebben.




Also tagged with one or more of these keywords: security, opkg, https

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users