Joined: 16 Apr 2018 Posts: 85 Location: Milwaukee, WI
Posted: Sat May 31, 2025 5:16 Post subject: Securely downloading and installing Entware. Why not this?
I noticed that in the DD-wrt entware installation guides, all of the links for downloading ddwrt are http, not https. This makes it seem like entware is very dangerous to download and install.
I found this guide to securely download and install entware (https://github.com/Lanchon/ddwrt-secure-entware), but am wondering if it is okay to use, and if so, why it hasn't been implemented in the entware ddwrt wiki or any other ddwrt entware guides?
Possibly because the wiki was written before Entware had https support and has not been updated? _________________ - Linksys EA8500: I-Gateway, WAP/VAP 5ghz only. Features: VLANs, Samba, WG, Entware - r60xxx
- Linksys EA8500: 802.11s Secondary w/VLAN Trunk over 5ghz - r60xxx
- Linksys MX4300: 802.11s Primary w/VLAN Trunk over 5ghz. 2.4ghz WAP/VAP only - r60xxx
- Linksys MX4300: (WAP/VAP (7)) Multiple VLANs over single trunk port. Entware/Samba r60xxx
- Linksys MR7350: WDS Station for extended Ethernet r60xxx
- Linksys MR7500, MX8500: None in production. Just testing. r60xxx
- OSes: Fedora 40, 10 RPis (2,3,4,5), 23 ESP8266s: Straight from Amiga to Linux in '95, never having owned a Windows PC.
- Forum member #248
Joined: 16 Nov 2015 Posts: 7068 Location: UK, London, just across the river..
Posted: Sat May 31, 2025 6:39 Post subject:
I used that way and.....in a random amount of time and random devices (couse i ve few devices with Entware) updates stopped...and i ve found that the units with normal way of installing/updating...ware fine...so..i abandoned it... it was not linked to curl or anything missing from ddwrt, nor their https not working...just very very random.....you can always use https for the first deploy...but then, yep updates are always via http...and this is always questionable from the security perspective...well same even for https its not a rocket science
in fact Lanchon way is mentioned here...but people are lazy to search, read, do their homework and ect...
sadly the Entware guys are so bad/inconsistent in updating their packages, as they said they are synchronized with OpenWRT... updates...but sometimes waiting is a too long...
Joined: 26 Mar 2013 Posts: 1887 Location: Hung Hom, Hong Kong
Posted: Sat May 31, 2025 15:41 Post subject: Re: Securely downloading and installing Entware. Why not thi
atomicamp wrote:
I noticed that in the DD-wrt entware installation guides, all of the links for downloading ddwrt are http, not https. This makes it seem like entware is very dangerous to download and install.
The reason is very simple: the Wiki was writtten possibly decade(s) ago, when HTTPS was not yet mainstream due to hardware limitations!! Strong encryption needs good infrastructure! Did we talk about TPM 2.0 back then when Win 11 was not even born?
Don't worry... some websites might auto-magically redirect HTTP to HTTPS. But things might change in the future when HTTPS became mandatory. _________________ Router: Asus RT-N18U (rev. A1)
Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!
Joined: 08 May 2018 Posts: 16707 Location: Texas, USA
Posted: Sat May 31, 2025 15:45 Post subject:
Okay, I think I know why it wasn't added. The proof is on the forum (not to mention the previously mentioned "official" method link!). When someone is as technically-apt as the OP comes up with something, it may not be properly vetted or correct. Sorry, not sorry. Most tech-savvy people know you can never stop reading or researching and can pick up on clues as to why their key-based authentication ssh is broken that was directly in the information they posted.
