Use HTTPS for entware.zyxmon.org

[deviantintegral]

wget -O - http://entware.zyxmon.org/binaries/mipsel/installer/upgrade.sh | sh

It would be great if all scripts and packages are downloaded over HTTPS instead of raw HTTP. As-is, it's way simpler for an attacker to modify installer scripts during transport, or to redirect updates to a different source. Given how this software is for use on routers, the potential for damage from a compromise seems really high.

[lancethepants]

I agree that would be nice, but there's a couple of limiting factors preventing this.

1. Most firmwares use busybox's implementation of wget, which does not support https.
2. The firmware would also need to bundle the necessary CA certs with the firmware. No use in using https if you can't confirm you trust the source.
3. The hosting server would need to setup https support using a cert from a trusted CA.

3 would not be difficult to do. #1 and #2 would require the firmware maker to put those in.

Tomato shibby does have curl with https, but no CA certs.

What could be implemented now though, is have everything go through https once entware is bootstrapped. It could automatically download gnu wget and the CA cert bundle. Then use that for all future communication.

[ryzhovau]

You may check installation script by:

cd /opt
wget http://entware.zyxmon.org/binaries/mipsel/installer/upgrade.sh 
cat ./upgrade.sh

if you wish to check it before running on router. There is no HTTPS support in most of embedded devices where Entware is working, sorry.

[deviantintegral]

Ah, I forgot that ca-certs weren't bundled even with firmwares that compile in HTTPS support. Thanks for the details!

[stiell]

Please revisit this issue. At least Asuswrt-Merlin supports HTTPS out of the box. It should be easy to set up a Let's Encrypt certificate.

[ryzhovau]

Cloudflare HTTPS setup is even easier. But there's still no HTTPS support on other devices.