The download link in the installation instructions and the configuration for the update endpoints for both Colibri UI and the firmware use unsecured HTTP. This allows attackers to install compromised software images and firmware using e.g a man in the middle attack or DNS spoofing on unsecured networks.
At the very least HTTPS should be used to download these files to prevent a botnet of 3D printers. Alternatively/additionally ckecksum could be calculated and placed in the wiki so people / the update mechanism can check the checksums match before copying the data on an SD card.
The download link in the installation instructions and the configuration for the update endpoints for both Colibri UI and the firmware use unsecured HTTP. This allows attackers to install compromised software images and firmware using e.g a man in the middle attack or DNS spoofing on unsecured networks.
At the very least HTTPS should be used to download these files to prevent a botnet of 3D printers. Alternatively/additionally ckecksum could be calculated and placed in the wiki so people / the update mechanism can check the checksums match before copying the data on an SD card.