HTTPS Downloads - Security Issue

boktai1000 · November 12, 2021, 6:08pm

I recently went to https://openwrt.org/toh/hwdata/linksys/linksys_wrt32x_v1_venom to grab the latest build for 32X and was hit with some "scary" error messages in the Edge browser about the fact that the links were over http:// to download

You can see here:
Firmware OpenWrt Install URL:

http://downloads.openwrt.org/releases/21.02.1/targets/mvebu/cortexa9/openwrt-21.02.1-mvebu-cortexa9-linksys_wrt32x-squashfs-factory.img

Firmware OpenWrt Upgrade URL:

http://downloads.openwrt.org/releases/21.02.1/targets/mvebu/cortexa9/openwrt-21.02.1-mvebu-cortexa9-linksys_wrt32x-squashfs-sysupgrade.bin

Firmware OpenWrt snapshot Install URL:

http://downloads.openwrt.org/snapshots/targets/mvebu/cortexa9/openwrt-mvebu-cortexa9-linksys_wrt32x-squashfs-factory.img

Firmware OpenWrt snapshot Upgrade URL:

http://downloads.openwrt.org/snapshots/targets/mvebu/cortexa9/openwrt-mvebu-cortexa9-linksys_wrt32x-squashfs-sysupgrade.bin

To replicate the issue, simply use Microsoft Edge (latest version) and attempt to download and you'll be hit with a security prompt that blocks the downloads.

flygarn12 · November 12, 2021, 6:15pm

I saw this also a couple of weeks ago when downloading 21.02.1 images. But since I download imagebuilder and verify them with the gpg public key downloaded when 21.02 branch was released I continued with the download.

hnyman · November 12, 2021, 6:16pm

@tmomas

I thought that we currently had https links in the techdata / ToH pages ?

tmomas · November 12, 2021, 8:49pm

hnyman · November 12, 2021, 9:26pm

I think that the situation has changed a lot from year 2017 (the first thread), as currently both master and 21.02 already default for https with the opkg package downloads by the router itself. Routers have https support by default since August 2020 (due to WPA3 readiness).

opkg switch to https was also done in August 2020 by

Support for 19.07 will soon end, and all further releases should support https.

Also desktop browsing in general is nowadays largely https based, so I see no special reason why we should stick to promoting http downloads any more.

tmomas · November 12, 2021, 11:13pm

OK, I will take care of changing the dataentries from http -> https during the next days.

anon89577378 · November 14, 2021, 11:48pm

My vote -

tmomas · November 15, 2021, 9:36pm

FYI - https links will be visible in the ToH within the next 15..30min.

Edit: Done.

tmomas · November 25, 2021, 9:37pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.