secure download and checksums

Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> General Questions
Author Message
scar
DD-WRT User


Joined: 22 Sep 2008
Posts: 60

PostPosted: Tue Oct 25, 2016 3:46    Post subject: secure download and checksums Reply with quote
it seems there's no way to securely download dd-wrt firmwares, and there's no way to verify checksums.

the wiki article https://www.dd-wrt.com/wiki/index.php/Hashes_%26_Checksums has a broken link to MD5SUMS file, as well as outdated information saying to use the https version of the download section. if we try to use the https version of the download section at https://www.dd-wrt.com/site/support/other-downloads for example, the actual file comes from http://download.dd-wrt.com which does not offer a https version.

so how can we securely download dd-wrt and be sure we are getting a clean download?

thanks
Sponsor
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6407
Location: UK, London, just across the river..

PostPosted: Tue Oct 25, 2016 6:45    Post subject: Reply with quote
ftp://ftp.dd-wrt.com/betas/
http://desipro.de/ddwrt/K3-AC-Arm/

this are the main sources for firmware the other links are outdated

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Murrkf
DD-WRT Guru


Joined: 22 Sep 2008
Posts: 12675

PostPosted: Tue Oct 25, 2016 18:21    Post subject: Reply with quote
Download at least twice. Compare checksums. Brainslayer does not provide checksums.
_________________
SIG:
I'm trying to teach you to fish, not give you a fish. If you just want a fish, wait for a fisherman who hands them out. I'm more of a fishing instructor.
LOM: "If you show that you have not bothered to read the forum announcements or to follow the advices in them then the level of help available for you will drop substantially, also known as Murrkf's law.."
scar
DD-WRT User


Joined: 22 Sep 2008
Posts: 60

PostPosted: Thu Oct 27, 2016 2:36    Post subject: Reply with quote
really with all the surveillance that goes on around the world these days, targeting insecure router firmware download and automating injection of some backdoor would be a trivial task for some governments. it's pretty easy to generate a gpg signature for example and provide it with the downloads... one or two extra commands
HalfBit
DD-WRT Guru


Joined: 04 Sep 2009
Posts: 776
Location: AR, USA

PostPosted: Thu Oct 27, 2016 3:38    Post subject: Reply with quote
scar wrote:
really with all the surveillance that goes on around the world these days, targeting insecure router firmware download and automating injection of some backdoor would be a trivial task for some governments. it's pretty easy to generate a gpg signature for example and provide it with the downloads... one or two extra commands

Which router do you have?

_________________
R7000 Nighthawk - DD-WRT v3.0-r50308
R7000 Nighthawk - DD-WRT v3.0-r50308
~~~~~~~~~~Dismantled for learning opportunities~~~~~~~~~~
WRT54Gv2
WRT54Gv8.2
~~~~~~~~~~Other Settings~~~~~~~~~
https://nextdns.io/?from=2d3sq39x
https://pi-hole.net/
https://github.com/DNSCrypt/dnscrypt-proxy
Wicket-W
DD-WRT Novice


Joined: 11 Apr 2019
Posts: 3

PostPosted: Thu Apr 11, 2019 14:32    Post subject: How to verify .chk files Reply with quote
I was wondering if there is any update on this important topic.

Many of us who flash these firmware care about security, so having the possibility to download a signature and the PGP/GPG key of the developer who released the version is essential.

I'm interested in R6400v2 (Netgear) and I haven't found any way to verify the .chk file.

Am I missing something? Any help or suggestion would be very appreciated.

Many thanks.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Thu Apr 11, 2019 17:13    Post subject: Reply with quote
I use builds from Kong: http://www.desipro.de/ddwrt/K3-AC-Arm/
The .chk file does not have a checksum but other files have.

There is a upgrade utitlity in his builds named ddup which downloads and checks the files.
When you are on his builds just run ddup --flash-latest (from telnet) to upgrade to the latest build.

I trust Kong 100% (I know who he is and where he lives Smile )

See the install guide in my signature at the bottom of this guide

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Wicket-W
DD-WRT Novice


Joined: 11 Apr 2019
Posts: 3

PostPosted: Fri Apr 12, 2019 8:02    Post subject: Reply with quote
Thank you for the suggestion, but unfortunately this does not solve the problem because ddup is available only if you have already flashed the build. Besides, I think it probably would not work updating R6400v2, because if the checksum is not available, it's not available also for ddup.

I trust Kong too! this is why I want to make sure what I am flashing is his build, and not some other maliciously modified builds.

Of course, having PGP signed checksums would be the best solution but, failing that, at least a unsigned checksum posted on a HTTPS site would be reasonable. What I think is not reasonable is having unsigned checksums posted on plain HTTP sites or plain FTP sites. Or, even worse, no checksum at all.

Anyway, thank you very much for the install guide. I found it very useful and detailed.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6407
Location: UK, London, just across the river..

PostPosted: Fri Apr 12, 2019 15:52    Post subject: Reply with quote
hmm... i can see when i flash BS builds over SSh it does CRC verification if this is a concern that firmware is not broken...
otherwise on Kong builds it does checksum and CRC...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Wicket-W
DD-WRT Novice


Joined: 11 Apr 2019
Posts: 3

PostPosted: Wed Apr 17, 2019 10:15    Post subject: Reply with quote
Alozaros, thanks but that was not what I was referring to. It's not a matter of CRC checks.

What I was expecting is what I find on OpenWRT: The website has a “Supplementary Files” section where you can download:

a) sha256sums.asc (GPG signature file)
b) sha256sums (list of SHA256 hashes for each image version)

For example: https://downloads.openwrt.org/releases/18.06.2/targets/bcm53xx/generic/

On highly critical software, like a VPN enabled router, this is not a *nice to have* addition, but pretty much a standard requirement nowadays.
By the way, also a warrant canary would be greatly appreciated.

Thanks.
jfovrw
DD-WRT Novice


Joined: 23 Oct 2019
Posts: 3

PostPosted: Sun Jun 28, 2020 11:14    Post subject: Reply with quote
Having no checksum at all available to compare the downloads lessens the credibility of the whole project in my opinion. Still not fixed in 2020...
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Sun Jun 28, 2020 18:31    Post subject: Reply with quote
https://svn.dd-wrt.com//ticket/378
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Display posts from previous:    Page 1 of 1
Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> General Questions All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum