Posted: Thu Aug 08, 2019 12:51 Post subject: Kong's builds cryptographically signed?
One of the differences between BrainSlayer's builds and Kong's builds it's that Kong's builds are cryptographically signed, so you can check that the version you are flashing is authentic and has not been maliciously modified by third-parties. This is what this readme file says.
Thank you for the suggestion, I actually read that file and I saw that .bin are signed.
But, as I pointed out in my previous post (on which you had the courtesy to reply as well) I am looking for a build for the first flash, I'm not updating, so I need a .chk file. And I do not find any signature for that.
I think you would agree that, from a security perspective, flashing an unsigned build and then updating it with a signed .bin is meaningless.
From a security, perspective, as I said, it is meaningless. Whatever the update process is. It's doesn't matter that
Quote:
the flashing process overwrites the entire flash area.
Nor is a matter of nvram. If you flash "my" maliciously modified build when you then update it I can make you download whatever I want and even display you a message in bright green that says:
"Build verified. Update completed successfully".
This happens everyday, there are thousands of compromised router feeding large or very large botnets. The infrastructure is always untrusted, this is why most browsers flag as insecure very respectable websites that serve you content (not to mention executable code) over HTTP or FTP . Today there is no respectable operating system, driver or firmware that is distributed unsigned.
Unless this firmware is a toy project never meant to replace the official home/office router, this is a serious concern, and I'm surprised that somebody is downplaying it.
Joined: 08 May 2018 Posts: 14221 Location: Texas, USA
Posted: Thu Aug 08, 2019 22:59 Post subject:
Do an md5 checksum on the .chk files and get creative. Seriously, though, the code repository would then definitely have to be broken apart by chipset and manufacturer to sign firmware files like the factory firmware files are signed. If you're paranoid and don't wish to flash BS or <Kong> firmware builds or anyone else's DD-WRT builds, I am sure you can find the door, just don't let it crack your tailbone on the way out.
P.S. there are plenty of custom and non-custom firmwares out there that are not signed. Are you pissing in their punch bowls, too?
First of all I really do not understand what you mean by:
Quote:
Do an md5 checksum on the .chk files and get creative.
With MD5 you can certainly get very creative finding collisions! This protocol has been broken in 1996 and today if you want to hash something you will use SHA-1, if you are lazy, or SHA-256 and beyond if you are security conscious.
Secondly, you really do not understand what asking for .chk file signature means. It is an act of trust towards the developer. It means: "I trust you, I trust that when you develop your code and use third party modules you are responsible and security aware and that the final binaries you release are reasonably secure."
I am certainly not asking that you provide a signature for each third party code you embed in the project. I rely on your own judgment, trusting that you will check the signatures of what you download and I am happy to verify the signature of the final .chk package you release.
Third, it's not a matter of being paranoid. 25 years ago I was too downloading over HTTP and FTP, logging on remote servers using Telnet and installing unsigned stuff. But it was 1995 and that was a different world. At that time strong cryptography like 3DES was considered a weapon! and could not be exported to Europe, where I live. There were no botnets with half a million of compromised routers, nor APT groups.
Quote:
there are plenty of custom and non-custom firmwares out there that are not signed
I am not saying that there are not executables, drivers or firmwares unsigned. I know there are plenty. What I am saying is that today all serious and respectable projects provide signed packages. Period. All linux distributions are signed, the linux kernel itself is signed, all windows, mac and linux packages are signed, OpenWRT is signed. And I could go on forever.
But there is one important thing that I have learnt from this conversation: this very relaxed and naive attitude towards security is an indicator that may be the trust I place in this project is misplaced.
This is why I will certainly move to a different hardware (not Broadcom based) and flash a different firmware.
Joined: 08 May 2018 Posts: 14221 Location: Texas, USA
Posted: Fri Aug 09, 2019 9:35 Post subject:
If you weren't following the bouncing ball, then I don't know what to tell you. Also, if not md5 hash, then check the .sig files. Obviously, you're not thinking very far outside the box. I kinda regret saying anything (here's your one finger salute).
ANYWAY... how's about YOU figure out how to insert proper cryptographic signature methods into the build system and development environment of DD-WRT and make the suggestion to the lead developer. Good luck.