From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mout.gmx.net (mout.gmx.net [212.227.17.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id 2C8B33B29E for ; Mon, 26 Nov 2018 13:24:57 -0500 (EST) Received: from [172.16.10.187] ([134.76.241.253]) by mail.gmx.com (mrgmx103 [212.227.17.168]) with ESMTPSA (Nemesis) id 0M6B6s-1fUgAP1y82-00yDBC; Mon, 26 Nov 2018 19:24:55 +0100 Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) From: Sebastian Moeller In-Reply-To: Date: Mon, 26 Nov 2018 19:24:54 +0100 Cc: cerowrt-devel Content-Transfer-Encoding: quoted-printable Message-Id: <6F8CDBFF-8B8A-4B6B-BCE9-918A69354626@gmx.de> References: To: =?utf-8?Q?Dave_T=C3=A4ht?= X-Mailer: Apple Mail (2.3445.9.1) X-Provags-ID: V03:K1:nivbQKpL1XEG+NfyyjxJHmvA6O3di2HHFleQwdJYrZfbl6kPxx1 WqSD7+JXtwlPFkgpSJu8bNAXHoHCID9f8gNlFhgm5kdkq6nmkayyhI4hNcqpeRNhEwhbh6y 4dijrw0tyGRCEgMxaF9DqaASpJxeDdhxqLPKiVBWMmaDoCOXbDsCmoTuT5np8PPU+ThHzZG cWb48ynjh3nGNpYsXjIbg== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:ZKArbrLwh6g=:LF7FW1ioMwRfbRtG/om+sy g6oeS/JuL2V4X6wKLsKprUqd5pMrgID+me6H7XObG4AbBZSNvU+MTtcAwKJ/s+SsOOtZ5Qzl9 OXoM6U6FFEKUCMBjUY3rJoPWfM9IVcBRcZDTBDbkPq42A1GGXlKIZCF65vwU2uSFnS7aWg07W 1dxxv1q2Od+LPMZuY4x7lI1X9ndKoc77ErGpe3HpKEYFN6vUQfRFnT8pXvd04p0mOAcS2PNPg cy+0fht2a0PxuPB2StLSdKbWYQK2XcNB4cjC/37GgQ69AXPzieZcJbhVFjgFGxe4Cb4qbBXiD u/ocq9trwt2k6aKjeIQ31qptSRgDj3BS2NAP/QZJTBr6oDssCB+1vMUPL09FriUUZB+mv37gU OZXfLLXtn/RnExjXRSZK7Yqb7vNPfzfim8I0Eu9cdLyHiLv6mx7GMghNCsY+xFH6QRpgj0yUG q6muM6nPBskfTMgNRr9CNI2Ee5LPrlSIcX/muVlparEBOjqWh6evs8hhMqOoYcf3l3tLTdVXJ bUFaCejGrKy1F97ZDioj3KalTnTyCyslDOpX9bdV+pFA9ESm/WfODJMzvjneRBvMZ385UwHgh zMxP5iRseitEGasL7c1726rKP9ns6A3eyTlaIJEjG6UhNz7KpmCe1CDIirQPlTBi9O2zNfPRC vveCpM6UNosDPFMBUFMwnTtMy3pnqlxk6pposa786kamD7wdkcDcdsgX3YMVL1ZTEtnf+/8Xk /d+23QtGHynNEp63QHJu221hHkWixPoi7aC7r4lewVq4PhUwaFzIkA5ZmarPNFZsEILOApiRZ ZbxsYIJ4WVvOQIdr+8zhTVx+LpCNCltPOU26JiHM0hjbOBT03/dEpU7lVK/e1Az3K+u3g+oDr 0FmQQNHUxuugxoH3vWflrFM6c5AOfOhaVtjZnZNhRWlfbJj5taQm2OgHeTb7Ar Subject: Re: [Cerowrt-devel] security guidelines for home routers X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Nov 2018 18:24:57 -0000 Hi Dave, neither the openwrt folks (see https://openwrt.org) nor the chaos = computer club of germany (see German: = https://www.ccc.de/en/updates/2018/risikorouter, machinenglish: = https://translate.google.com/translate?sl=3Dde&tl=3Den&js=3Dy&prev=3D_t&hl= =3Dde&ie=3DUTF-8&u=3Dhttps%3A%2F%2Fwww.ccc.de%2Fen%2Fupdates%2F2018%2Frisi= korouter&edit-text=3D) seem to be fully convinced. Personally I believe this is a step in the right direction, even though = hopefully just a first step.=20 Openwrt and CCC mainly critizise: "The Chaos Computer Club (CCC) and OpenWrt took part in multiple review = and discussion rounds with the Bundesamt f=C3=BCr Sicherheit in der = Informationstechnik (BSI) and representatives of multiple device vendors = and network operators. These are our two main demands: 1) Vendors have to inform customer before buying the product for all = devices being sold in Germany, how long the device will get security = updates in case problems are found. 2) The customer must have the possibility to install custom software on = their devices, to have the possibility to fix security problems even = after the official vendor support ended." I believe that 1) is currently supposed to be posted on a web-site so = will not be effortlessly visible at the point of sale in a store. And 2) basically is a complaint that there is a weak MAY clause for = guaranteeing that 3rd party firmware like openwrt is installable. I = think this was weakened on purpose by the DOCSIS-ISPs which seem to have = zero interest for 3rd party firmwares for cable-modems/routers. (I would = not be amazed if cable labs would actually rule something like this out = per contract, but I have zero evidence for that hypothesis). > On Nov 26, 2018, at 19:05, Dave Taht wrote: >=20 > I only briefly scanned this, but I did find some things that made me > happy. Still, What happens after end of life? >=20 > = https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Technisc= heRichtlinien/TR03148/TR03148.pdf;jsessionid=3D01F54E80B004E9BFB194DBC00DE= 9B961.2_cid360?__blob=3DpublicationFile&v=3D2 >=20 > "To be able to react to newly appearing exploits of soft- or hardware > vulnerabilities of the router or any of its components the router MUST > have a functionality to update the firmware (operating system and > applications) using a firmware package. The router MUST allow the > end-user to fully control such a firmware update and determine to > initiate an online update (router retrieves firmware package from the > Internet (WAN interface)) and/ or manually update the firmware through > the configuration interface (user provides firmware package) described > in Section 4.1: Configuration and Information." >=20 > The router SHOULD offer an option to automatically retrieve security > relevant firmware updates from a trustworthy source over the Internet > (WAN interface). If the router offers this functionality it SHOULD be > activated by default, but MUST be possible for the end-user to > deactivate it when using customized settings. In both scenarios > (manual and automated update) the firmware update function of the > router MUST check the authenticity of the firmware package (file) > before it is installed on the router. This SHOULD be done by a digital > signature that is applied to the firmware package by the manufacturer > and checked by the router itself. For this purpose only signature > schemes in accordance to [SOG-IS] Section 5.2: Digital Signatures MUST > be used. The router MUST NOT automatically install any unsigned > firmware. The router MAY allow the installation of unsigned firmware > (i.e. custom firmware) IF a meaningful warning message has been shown > to the authenticated end-user and the end-user accepts the > installation of the unsigned firmware. >=20 > the manufacturer of the router MUST provide information on how long > firmware updates fixing common vulnerabilities and exposures that have > a high severity (i.e. a CVSS combined score higher than 6.0 according > to the Common Vulnerability Scoring System3 assigned to the specific > device or a component used by the device) will be made available. This > information SHOULD be available on the manufacturer website. > Additionally it MAY be made available on the router configuration > interface described in Section 4.1.2: Providing Information. The > manufacturer MUST provide information if the router has reached the > End of its Support (EoS) and will not receive firmware updates by the > manufacturer anymore. This information (EoS) MUST be made available on > the router configuration as described in Section 4.1.2: Providing > Information. The manufacturer MUST provide firmware updates to fix > common vulnerabilities and exposures of a high severity without > culpable delay (without undue delay) after the manufacturer obtains > knowledge >=20 >=20 > --=20 >=20 > Dave T=C3=A4ht > CTO, TekLibre, LLC > http://www.teklibre.com > Tel: 1-831-205-9740 > _______________________________________________ > Cerowrt-devel mailing list > Cerowrt-devel@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/cerowrt-devel