Closed deviantintegral closed 8 years ago
I agree that would be nice, but there's a couple of limiting factors preventing this.
Tomato shibby does have curl with https, but no CA certs.
What could be implemented now though, is have everything go through https once entware is bootstrapped. It could automatically download gnu wget and the CA cert bundle. Then use that for all future communication.
You may check installation script by:
cd /opt
wget http://entware.zyxmon.org/binaries/mipsel/installer/upgrade.sh
cat ./upgrade.sh
if you wish to check it before running on router. There is no HTTPS support in most of embedded devices where Entware is working, sorry.
Ah, I forgot that ca-certs weren't bundled even with firmwares that compile in HTTPS support. Thanks for the details!
Please revisit this issue. At least Asuswrt-Merlin supports HTTPS out of the box. It should be easy to set up a Let's Encrypt certificate.
Cloudflare HTTPS setup is even easier. But there's still no HTTPS support on other devices.
It would be great if all scripts and packages are downloaded over HTTPS instead of raw HTTP. As-is, it's way simpler for an attacker to modify installer scripts during transport, or to redirect updates to a different source. Given how this software is for use on routers, the potential for damage from a compromise seems really high.