From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-qk1-x72d.google.com (mail-qk1-x72d.google.com [IPv6:2607:f8b0:4864:20::72d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id C9BB23B29E for ; Mon, 26 Nov 2018 13:41:06 -0500 (EST) Received: by mail-qk1-x72d.google.com with SMTP id o125so12984565qkf.3 for ; Mon, 26 Nov 2018 10:41:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=WsKE8Hv+XUxzOWfF2FrBn3p5cO1Gx6/1JA7Dgz8lvLI=; b=kNbcwYA/PaBxkEskbZlPXnyk6TOvvGjNo+F7mZLZ6HNW1VzIhjbMXzBz3pGMHCIz49 WuL5WyQZocda6m3PZC4+eAFrxkzB1pi5z8mqYav+iLXNTUbFWGMg+eOJ1jQuhzA66fBP PPl24PmJMATjt+nRGTKg7lm89DeOL/bCEzrJzIHVEmb0IbIweUmVdzZdBa2acHyrrDWK iYsY07Bfr7a+xOONoPb/nGviPDdm+tmemxcklNf4K1cjNGGNZQbO5G2sXIg2GHZwS7GF 022ypIJcn/08U8R950yy79ytT4Yv1IovgydbBkZ3cnAIheitr8iS/URwwej3yXc601Lm Xldg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=WsKE8Hv+XUxzOWfF2FrBn3p5cO1Gx6/1JA7Dgz8lvLI=; b=juyNiK4+SDk6p4hDaLhFcMUICWCsd0VnPdK55kB3yPrzaHIoIWKfyMaPJ/GA0JvN1/ K77opVgnC2aChxmbGnQ7TDfVP59j3o2LRf1NclJ+1fIhPzcrQ1VfnhzVA2Z82xphzsqq eB80+3h7KwpfZFLHij4tQENSAhLvxZr2X8pQltlvgOZqhn+Hhh6tUsslLa1JswsQNupY DH6i1uW1DYpGTu5FklZ7XAaNaCsA42YMQ+XSZ/EF3z3NO2Snq4iN2EvLQDSCacwO3T5n voeifoR/hEzJjvSpW1idV1+B8mNtcuibmg5nIsxbCWpjFWIWWFc/Qj7rCYSHtlwyScEb T+eA== X-Gm-Message-State: AA+aEWbPjXJVDz6YJip4zaBaidaZUl0qcevd4b2HekPvkYcwu7HUvsmW OPRyvA6B5mgurDrcjxwzMqzhWoIc1UKsWXgybmo= X-Google-Smtp-Source: AFSGD/WPgHnBIzryFSkewWTVssJ44WjfXFhT1tuexkMRzgK+VFXGa2q9GVa6R9gE6UwvX5Sbv6MOkgiVawaHa7WSB2M= X-Received: by 2002:a37:9ce:: with SMTP id 197mr25618360qkj.164.1543257666207; Mon, 26 Nov 2018 10:41:06 -0800 (PST) MIME-Version: 1.0 References: <6F8CDBFF-8B8A-4B6B-BCE9-918A69354626@gmx.de> In-Reply-To: <6F8CDBFF-8B8A-4B6B-BCE9-918A69354626@gmx.de> From: Dave Taht Date: Mon, 26 Nov 2018 10:40:54 -0800 Message-ID: To: Sebastian Moeller Cc: cerowrt-devel Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Subject: Re: [Cerowrt-devel] security guidelines for home routers X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Nov 2018 18:41:06 -0000 On Mon, Nov 26, 2018 at 10:24 AM Sebastian Moeller wrote: > > Hi Dave, > > > neither the openwrt folks (see https://openwrt.org) nor the chaos compute= r club of germany (see German: https://www.ccc.de/en/updates/2018/risikorou= ter, machinenglish: https://translate.google.com/translate?sl=3Dde&tl=3Den&= js=3Dy&prev=3D_t&hl=3Dde&ie=3DUTF-8&u=3Dhttps%3A%2F%2Fwww.ccc.de%2Fen%2Fupd= ates%2F2018%2Frisikorouter&edit-text=3D) seem to be fully convinced. > Personally I believe this is a step in the right direction, even though h= opefully just a first step. I would like it very much if my country attempted to get to something similar as a requirement for FCC certification or import. Stronger yes, would be nice, but there was nothing horrible in here that I could see. It is extremely well written, could probably use a glossary. > > Openwrt and CCC mainly critizise: > > "The Chaos Computer Club (CCC) and OpenWrt took part in multiple review a= nd discussion rounds with the Bundesamt f=C3=BCr Sicherheit in der Informat= ionstechnik (BSI) and representatives of multiple device vendors and networ= k operators. These are our two main demands: > > 1) Vendors have to inform customer before buying the product for all dev= ices being sold in Germany, how long the device will get security updates i= n case problems are found. I am reminded of the mandatory warnings on all cig smoking cartons. Long term, I guess, they've been effective. I seem to be one of the few left that still smoke, and most of the other smokers I know use rollies, and don't have to read about what they are doing to themselves on every pack. > 2) The customer must have the possibility to install custom software on t= heir devices, to have the possibility to fix security problems even after t= he official vendor support ended." > > I believe that 1) is currently supposed to be posted on a web-site so wil= l not be effortlessly visible at the point of sale in a store. I would rather like that. With most computer gear today, you are essentially buying a lease. "Supported for 1 week longer than our 1 year warranty". People should value a long term support plan, as much as they value getting a 10 year "bumper to bumper" warranty on a car. Spending 200 bucks on a piece > And 2) basically is a complaint that there is a weak MAY clause for guara= nteeing that 3rd party firmware like openwrt is installable. I think this = was weakened on purpose by the DOCSIS-ISPs which seem to have zero interest= for 3rd party firmwares for cable-modems/routers. (I would not be amazed i= f cable labs would actually rule something like this out per contract, but = I have zero evidence for that hypothesis). These are the people that *rent* modems to you at an enormous margin and are unwilling to support it? Sigh... I have zip, zero problem, if cable folk *leased* you a modem, managed it, and then provided a new one when their support costs got too great. It would do wonders for the entire industry if they simply gave away new docsis 3 or 3.1 modems to every one still running an earlier one.... There's a huge difference in "leasing" vs "renting" vs "buying" I guess. There's a movement here called "right to repair", which is not something I've been tracking here. How's it going over there? It's used a lot when arguing with John Deer about their tractors.... > > > > > On Nov 26, 2018, at 19:05, Dave Taht wrote: > > > > I only briefly scanned this, but I did find some things that made me > > happy. Still, What happens after end of life? > > > > https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Techn= ischeRichtlinien/TR03148/TR03148.pdf;jsessionid=3D01F54E80B004E9BFB194DBC00= DE9B961.2_cid360?__blob=3DpublicationFile&v=3D2 > > > > "To be able to react to newly appearing exploits of soft- or hardware > > vulnerabilities of the router or any of its components the router MUST > > have a functionality to update the firmware (operating system and > > applications) using a firmware package. The router MUST allow the > > end-user to fully control such a firmware update and determine to > > initiate an online update (router retrieves firmware package from the > > Internet (WAN interface)) and/ or manually update the firmware through > > the configuration interface (user provides firmware package) described > > in Section 4.1: Configuration and Information." > > > > The router SHOULD offer an option to automatically retrieve security > > relevant firmware updates from a trustworthy source over the Internet > > (WAN interface). If the router offers this functionality it SHOULD be > > activated by default, but MUST be possible for the end-user to > > deactivate it when using customized settings. In both scenarios > > (manual and automated update) the firmware update function of the > > router MUST check the authenticity of the firmware package (file) > > before it is installed on the router. This SHOULD be done by a digital > > signature that is applied to the firmware package by the manufacturer > > and checked by the router itself. For this purpose only signature > > schemes in accordance to [SOG-IS] Section 5.2: Digital Signatures MUST > > be used. The router MUST NOT automatically install any unsigned > > firmware. The router MAY allow the installation of unsigned firmware > > (i.e. custom firmware) IF a meaningful warning message has been shown > > to the authenticated end-user and the end-user accepts the > > installation of the unsigned firmware. > > > > the manufacturer of the router MUST provide information on how long > > firmware updates fixing common vulnerabilities and exposures that have > > a high severity (i.e. a CVSS combined score higher than 6.0 according > > to the Common Vulnerability Scoring System3 assigned to the specific > > device or a component used by the device) will be made available. This > > information SHOULD be available on the manufacturer website. > > Additionally it MAY be made available on the router configuration > > interface described in Section 4.1.2: Providing Information. The > > manufacturer MUST provide information if the router has reached the > > End of its Support (EoS) and will not receive firmware updates by the > > manufacturer anymore. This information (EoS) MUST be made available on > > the router configuration as described in Section 4.1.2: Providing > > Information. The manufacturer MUST provide firmware updates to fix > > common vulnerabilities and exposures of a high severity without > > culpable delay (without undue delay) after the manufacturer obtains > > knowledge > > > > > > -- > > > > Dave T=C3=A4ht > > CTO, TekLibre, LLC > > http://www.teklibre.com > > Tel: 1-831-205-9740 > > _______________________________________________ > > Cerowrt-devel mailing list > > Cerowrt-devel@lists.bufferbloat.net > > https://lists.bufferbloat.net/listinfo/cerowrt-devel > --=20 Dave T=C3=A4ht CTO, TekLibre, LLC http://www.teklibre.com Tel: 1-831-205-9740