Firmware download links: http or https?

tmomas · June 26, 2017, 6:54pm

@bobafetthotmail I've seen you purposely switched to http instead https @TL-WR1043ND v4.x dataentry.

Is this device specific or rather a general requirement? If the latter, I would convert all to http, because now the majority has https links.

bobafetthotmail · June 30, 2017, 9:02pm

I think it would be better to have all links to firmware upgrade images in http, as by default (and in the most common usage scenarios) the devices themselves can't wget from https. That way it's more convenient for people upgrading from command line.
If the upgrade is done using Luci then https is fine as the download will happen with the user's PC.

For the factory link it's probably irrelevant as the download will be done by the user's PC anyway.

It's probably bike shedding though, people using command line can edit the link themselves.

tmomas · July 4, 2017, 7:06pm

Added to the todo list https://lede-project.org/wiki/maintenance/to_do_list#dataentries.

I'll convert factory + upgrade from https -> http with the next general dataentry overhaul, which will most probably happen during the wiki merge (whenever that may be).

hiq · November 4, 2020, 8:45am

I was about to post a new topic to ask if the links could be HTTPS by default, and saw that the use of HTTP is intentional.

Isn't it a problem security-wise? When I go to my device's page, there's no warning of any kind and no explanation about how I can check the integrity of the firmware.

It seems that the HTTP link is necessary to people who want to download the image directly on their devices and then upgrade from the command-line. But in this case, this means that they have ssh access, don't they? So instead of doing a wget from the device, they can just do a scp from their computer? Besides, the warning from wget from openwrt is quite clear, so it's not like people will waste time with this.

In any case IMHO the links should be secure by default.

reinerotto · November 4, 2020, 9:29am

Not always. I.e. when doing remote sysupgrade, no ssh access.
Feel free to use https yourself, but do not force its use onto others.

hiq · November 4, 2020, 2:09pm

Sorry, I didn't mean to force it onto others. I just meant to provide the links on the web pages as their https:// variant rather than the http, so that just clicking is secure by default. This doesn't mean that wget http://... should stop working. Indeed, from the previous posts, it seems that the links on the web pages used to be https and that people had to remove the s from the https:// link to download their firmware using wget from openwrt. I'm advocating for a change back to this state.