From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-qk1-x735.google.com (mail-qk1-x735.google.com [IPv6:2607:f8b0:4864:20::735]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id 36C023B29E for ; Mon, 26 Nov 2018 13:05:22 -0500 (EST) Received: by mail-qk1-x735.google.com with SMTP id m5so12830819qka.9 for ; Mon, 26 Nov 2018 10:05:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to :content-transfer-encoding; bh=8yevbHeexMpLJhj7WgJhj+AGws4aEAZkeUQpQ7L/QKE=; b=WzB+KO/djCc1P0EjziLjfD+aQwYYCx2rVGJ6Ow1zfG+kqAGIDH1hqzrofgJoIn28lR eXquJzpJpjmLiqcKx8DZiR0pfeE+kRAc7M+SIFgLSj1q8YWFuCF6bF+WOeyDPdfuR4p0 CIzUoqKxFo60VJQgOzlSxCmGUVimXA3KTmMSf6HrPyNxwSRVefO23ghWN+qrInOja/gS 41MdCbnJPPm9JmpFS2KEn+66buHtDp3rt50c1Xc5SjVLlDutdvKsjDr41UddhXNyio4j 5hVw6NWVz4DH9Rj5hpun5XRpoZ6R9VjNxbbjcL0r+RkGKtDFnnkOcj2FHARwYkB1Ib4X fH8Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to :content-transfer-encoding; bh=8yevbHeexMpLJhj7WgJhj+AGws4aEAZkeUQpQ7L/QKE=; b=bHzcCKLnESWRfs9Bhol37iQvLOYTSRS9sT8ZQ4nJCfpgkzvf+kBcDk1YudGRTI5scA Apd8pS7r1Cvp9llC/fXr9LVsd7YAmTGN4px9kQ3cD2Fqgg1qvVUY//t7pG696AIa9knI 9PXr4hUN1U0s0hbr1ofPSzLqxek0JUmCmaZ8wT6YSdlGJ7+cujpqwMvWfgpP6qdpt9cE E969iih11isnZz6WrS8Kh47BKu8wlAlQOHkdl9wT5fquc2ApCsLPdxm66P0KSAFxHG/H TPMyrw0pX/ELWsMDfz7yKXRwlCwDnIu//A9fFceUJrZAhLh9I71JAT5qp7ao/a75deKB Li7A== X-Gm-Message-State: AA+aEWYpmtlZhXldF73NAN7AX2jaF7D5H46DYiFRd1rmu4dp4rPC6GvJ GnO1C48Hecq1pLs7VQd4oqxXsWCqZmxbOmcx+6CjxyIU X-Google-Smtp-Source: AFSGD/XaZZUmuv7N444FqhyTvZ3KvKZOpBbJ0eYEG1oc++XFHC1cMz7F4urbf6V27wfqwuyrOPdIiyIyK6m1+oHuc3s= X-Received: by 2002:a37:4f8a:: with SMTP id d132mr25692667qkb.17.1543255520950; Mon, 26 Nov 2018 10:05:20 -0800 (PST) MIME-Version: 1.0 From: Dave Taht Date: Mon, 26 Nov 2018 10:05:09 -0800 Message-ID: To: cerowrt-devel Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Subject: [Cerowrt-devel] security guidelines for home routers X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Nov 2018 18:05:22 -0000 I only briefly scanned this, but I did find some things that made me happy. Still, What happens after end of life? https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Technisch= eRichtlinien/TR03148/TR03148.pdf;jsessionid=3D01F54E80B004E9BFB194DBC00DE9B= 961.2_cid360?__blob=3DpublicationFile&v=3D2 "To be able to react to newly appearing exploits of soft- or hardware vulnerabilities of the router or any of its components the router MUST have a functionality to update the firmware (operating system and applications) using a firmware package. The router MUST allow the end-user to fully control such a firmware update and determine to initiate an online update (router retrieves firmware package from the Internet (WAN interface)) and/ or manually update the firmware through the configuration interface (user provides firmware package) described in Section 4.1: Configuration and Information." The router SHOULD offer an option to automatically retrieve security relevant firmware updates from a trustworthy source over the Internet (WAN interface). If the router offers this functionality it SHOULD be activated by default, but MUST be possible for the end-user to deactivate it when using customized settings. In both scenarios (manual and automated update) the firmware update function of the router MUST check the authenticity of the firmware package (file) before it is installed on the router. This SHOULD be done by a digital signature that is applied to the firmware package by the manufacturer and checked by the router itself. For this purpose only signature schemes in accordance to [SOG-IS] Section 5.2: Digital Signatures MUST be used. The router MUST NOT automatically install any unsigned firmware. The router MAY allow the installation of unsigned firmware (i.e. custom firmware) IF a meaningful warning message has been shown to the authenticated end-user and the end-user accepts the installation of the unsigned firmware. the manufacturer of the router MUST provide information on how long firmware updates fixing common vulnerabilities and exposures that have a high severity (i.e. a CVSS combined score higher than 6.0 according to the Common Vulnerability Scoring System3 assigned to the specific device or a component used by the device) will be made available. This information SHOULD be available on the manufacturer website. Additionally it MAY be made available on the router configuration interface described in Section 4.1.2: Providing Information. The manufacturer MUST provide information if the router has reached the End of its Support (EoS) and will not receive firmware updates by the manufacturer anymore. This information (EoS) MUST be made available on the router configuration as described in Section 4.1.2: Providing Information. The manufacturer MUST provide firmware updates to fix common vulnerabilities and exposures of a high severity without culpable delay (without undue delay) after the manufacturer obtains knowledge --=20 Dave T=C3=A4ht CTO, TekLibre, LLC http://www.teklibre.com Tel: 1-831-205-9740