From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id 711BE3B29E for ; Mon, 26 Nov 2018 17:28:59 -0500 (EST) Received: from hms-beagle2.lan ([77.12.89.227]) by mail.gmx.com (mrgmx102 [212.227.17.168]) with ESMTPSA (Nemesis) id 0MNO33-1gL4eO2IK9-006zdO; Mon, 26 Nov 2018 23:28:57 +0100 Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) From: Sebastian Moeller In-Reply-To: Date: Mon, 26 Nov 2018 23:28:56 +0100 Cc: cerowrt-devel Content-Transfer-Encoding: quoted-printable Message-Id: <13EA268F-994D-45FF-A0B2-1CAF4C530B4F@gmx.de> References: <6F8CDBFF-8B8A-4B6B-BCE9-918A69354626@gmx.de> To: =?utf-8?Q?Dave_T=C3=A4ht?= X-Mailer: Apple Mail (2.3445.9.1) X-Provags-ID: V03:K1:TKpkosHPFcqjSn3ayUusi1hl2gBqMNOC0iyTk+MeLpZE+xqq4zN KIGmJg/RBMKX+3zG0fmxQvHlJidpnmxzFir6W2v/ml8EE/WVXCuxwZxuWeLvi4g44M3OKNs QLIIbb+/6deliRbvhIPps3jmQsJjRUk7Xx/VzRn/SZ0hRsvft/DyKUWZbFbIi7iVa1ZwBmp IlMJEk1LXDRU8K4EwKATQ== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:YU0pZmeJK6w=:8nisJ9R8q1/Hb6GtNjHNHv 5MV2+PyXyO8wj0ZvkQsPa2pleG3BjLAUu9unt4aHOhWu6f6fUaOb1zz+dcb9hkAUGpd2by8Op lkoJfiCYztBEEsHjvpQ0v44ZEeAZm/H477YLiIr5Zu4qszgj04TaVPYiA7GDnQ+Y0P5LhUHBf yt+4wjY/BXhvxUFFTNHBr3fHuxOnKB35ibPjgWvFwyluJSvoPGRlQpnkeIBx/YKocmy97+bIO QNN/2P/yUrJa3dCbQLNXeaaGHKRmY6hdRDIeZeMB7DMJ0xB6qwmlJSdzgNkG9d1fqglmcXvEs tC4rUUtSwYSZnPRwvipj1wm4u0ykbrCrlanDHvZ24TzsyqROclC6BxilVQfoboDm/aq3jlg1c kSozZbTggjpPmOhLxnSB16O4BunzQ5KI362mevCJfEM5EV8UU/OjiR1kmiGmzroCLa/e19CZk cUT3npBAxMZySkMgRtt9U5buvAkBcsQj4YW1Q0/vdbo4yUcCDbrOELNYH7ZZOp9rlo3/6m2s1 76Y/xGzdFUl94pxlRpex2ozWgWdDwGuWltm/8N7QW4Y+Zmo/tlXsRgrGpIx1pGLdn5GGiXztt Me9GYf5z6EYGysve3FJ9IV9QiXweZHskb8sbNC43jGJ2NmWebLvumKxZJ16CEC+b18udt10wi BD8BO19n6g34DLcmoNMnTe5C+EU6AWV5Xrx35tJc3j2fo22fL+ey6f+czCgkBnrAO7yLQBDLL t5Ai9f1AZUyfFWWWmaDXFrYL/2l+e3QCvFK1L4rElBRpSzNgjnGJYoVY+6yGZ0gvCRex78+nT WJTLtaPCPNftQXDoDBKGKQGGcbWM5wHdOEIqeAfkrQzHW7j5vTDktTL5qukpK3DPz5t6LA/Z5 XMH7Y9LRmow5gdf0YqKTlxCJFTX9E+S82FgWPhnxLf1exyLsJp1cTS1OxKUJ8j Subject: Re: [Cerowrt-devel] security guidelines for home routers X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Nov 2018 22:28:59 -0000 Hi Dave, > On Nov 26, 2018, at 19:40, Dave Taht wrote: >=20 > On Mon, Nov 26, 2018 at 10:24 AM Sebastian Moeller = wrote: >>=20 >> Hi Dave, >>=20 >>=20 >> neither the openwrt folks (see https://openwrt.org) nor the chaos = computer club of germany (see German: = https://www.ccc.de/en/updates/2018/risikorouter, machinenglish: = https://translate.google.com/translate?sl=3Dde&tl=3Den&js=3Dy&prev=3D_t&hl= =3Dde&ie=3DUTF-8&u=3Dhttps%3A%2F%2Fwww.ccc.de%2Fen%2Fupdates%2F2018%2Frisi= korouter&edit-text=3D) seem to be fully convinced. >> Personally I believe this is a step in the right direction, even = though hopefully just a first step. >=20 > I would like it very much if my country attempted to get to something > similar as a requirement for FCC certification or import. Stronger > yes, would be nice, but there was > nothing horrible in here that I could see. +1 >=20 > It is extremely well written, could probably use a glossary. See table 1 of = https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Technisc= heRichtlinien/TR03148/TR03148.pdf?__blob=3DpublicationFile&v=3D2 for an = attempt at a terse glossary >=20 >>=20 >> Openwrt and CCC mainly critizise: >>=20 >> "The Chaos Computer Club (CCC) and OpenWrt took part in multiple = review and discussion rounds with the Bundesamt f=C3=BCr Sicherheit in = der Informationstechnik (BSI) and representatives of multiple device = vendors and network operators. These are our two main demands: >>=20 >> 1) Vendors have to inform customer before buying the product for all = devices being sold in Germany, how long the device will get security = updates in case problems are found. >=20 > I am reminded of the mandatory warnings on all cig smoking cartons. > Long term, I guess, they've been effective. I seem to be one of the > few left that still smoke, and most of the other smokers I know use > rollies, and don't have to read about what they are doing to > themselves on every pack. I tend to think that "real tobacco aficionados" will sooner or = later switch to chewing tobacco ;) >=20 >> 2) The customer must have the possibility to install custom software = on their devices, to have the possibility to fix security problems even = after the official vendor support ended." >>=20 >> I believe that 1) is currently supposed to be posted on a web-site so = will not be effortlessly visible at the point of sale in a store. >=20 > I would rather like that. With most computer gear today, you are > essentially buying a lease. "Supported for 1 week longer than our 1 > year warranty". If at all! Now there are a few good apples in there as well. = e.g. AVM typically supports their new router models for several years, = publish EOS and EOL notices regularly and even introduce new features to = older hardware as part of their firmware upgrades (I believe they partly = do this to reduce the version explosion in their testing matrix, but = still it is a win-win, for both AVM and customers). Also evenroute seem = to do good with their iq-router brand in that regard. > People should value a long term support plan, as much > as they value getting a 10 year "bumper to bumper" warranty on a car. > Spending 200 bucks on a piece >=20 >> And 2) basically is a complaint that there is a weak MAY clause for = guaranteeing that 3rd party firmware like openwrt is installable. I = think this was weakened on purpose by the DOCSIS-ISPs which seem to have = zero interest for 3rd party firmwares for cable-modems/routers. (I would = not be amazed if cable labs would actually rule something like this out = per contract, but I have zero evidence for that hypothesis). >=20 > These are the people that *rent* modems to you at an enormous margin > and are unwilling to support it? Yes, even worst, the same companies that distributed the = latency-jinxed intel puma5/6/7 based docsis modems that had/have rather = unfortunate latency spikes and packet drops; and often have not managed = to distribute the newer firmware images that severely ameliorate that = issue. In that light I understand ccc/openwrt's frustration with the = weak custom firmware requirements. >=20 > Sigh... I have zip, zero problem, if cable folk *leased* you a modem, > managed it, > and then provided a new one when their support costs got too great. It > would do wonders for the entire industry if they simply gave away new > docsis 3 or 3.1 modems to every one still running an earlier one.... Well, they, as well as most dsl-ISPs in Germany, will happily = rent you something, and at least the dsl isp tend to get "timely" = firmware updates (at least if conpared with the docsis isps). The sad = thing is that in the past these devices were factored into the plans but = now are run as profit centers (say 4 EUR for a device that is expected = to last for 5 years at a customers home will net you 4*12*5 =3D 240 EUR = for hardware and support). >=20 > There's a huge difference in "leasing" vs "renting" vs "buying" I = guess. >=20 > There's a movement here called "right to repair", which is not > something I've been tracking here. How's it going over there? It's > used a lot when arguing with John Deer about their tractors.... It is discussed in the media, and I have (so far = unsubstantiated) hopes that the EU-parlament might tackle this somehow, = somewhen ;) >=20 >>=20 >>=20 >>=20 >>> On Nov 26, 2018, at 19:05, Dave Taht wrote: >>>=20 >>> I only briefly scanned this, but I did find some things that made me >>> happy. Still, What happens after end of life? >>>=20 >>> = https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Technisc= heRichtlinien/TR03148/TR03148.pdf;jsessionid=3D01F54E80B004E9BFB194DBC00DE= 9B961.2_cid360?__blob=3DpublicationFile&v=3D2 >>>=20 >>> "To be able to react to newly appearing exploits of soft- or = hardware >>> vulnerabilities of the router or any of its components the router = MUST >>> have a functionality to update the firmware (operating system and >>> applications) using a firmware package. The router MUST allow the >>> end-user to fully control such a firmware update and determine to >>> initiate an online update (router retrieves firmware package from = the >>> Internet (WAN interface)) and/ or manually update the firmware = through >>> the configuration interface (user provides firmware package) = described >>> in Section 4.1: Configuration and Information." >>>=20 >>> The router SHOULD offer an option to automatically retrieve security >>> relevant firmware updates from a trustworthy source over the = Internet >>> (WAN interface). If the router offers this functionality it SHOULD = be >>> activated by default, but MUST be possible for the end-user to >>> deactivate it when using customized settings. In both scenarios >>> (manual and automated update) the firmware update function of the >>> router MUST check the authenticity of the firmware package (file) >>> before it is installed on the router. This SHOULD be done by a = digital >>> signature that is applied to the firmware package by the = manufacturer >>> and checked by the router itself. For this purpose only signature >>> schemes in accordance to [SOG-IS] Section 5.2: Digital Signatures = MUST >>> be used. The router MUST NOT automatically install any unsigned >>> firmware. The router MAY allow the installation of unsigned firmware >>> (i.e. custom firmware) IF a meaningful warning message has been = shown >>> to the authenticated end-user and the end-user accepts the >>> installation of the unsigned firmware. >>>=20 >>> the manufacturer of the router MUST provide information on how long >>> firmware updates fixing common vulnerabilities and exposures that = have >>> a high severity (i.e. a CVSS combined score higher than 6.0 = according >>> to the Common Vulnerability Scoring System3 assigned to the specific >>> device or a component used by the device) will be made available. = This >>> information SHOULD be available on the manufacturer website. >>> Additionally it MAY be made available on the router configuration >>> interface described in Section 4.1.2: Providing Information. The >>> manufacturer MUST provide information if the router has reached the >>> End of its Support (EoS) and will not receive firmware updates by = the >>> manufacturer anymore. This information (EoS) MUST be made available = on >>> the router configuration as described in Section 4.1.2: Providing >>> Information. The manufacturer MUST provide firmware updates to fix >>> common vulnerabilities and exposures of a high severity without >>> culpable delay (without undue delay) after the manufacturer obtains >>> knowledge >>>=20 >>>=20 >>> -- >>>=20 >>> Dave T=C3=A4ht >>> CTO, TekLibre, LLC >>> http://www.teklibre.com >>> Tel: 1-831-205-9740 >>> _______________________________________________ >>> Cerowrt-devel mailing list >>> Cerowrt-devel@lists.bufferbloat.net >>> https://lists.bufferbloat.net/listinfo/cerowrt-devel >>=20 >=20 >=20 > --=20 >=20 > Dave T=C3=A4ht > CTO, TekLibre, LLC > http://www.teklibre.com > Tel: 1-831-205-9740