Hi Pavel,<div><br></div><div>Thanks for your input!</div><br><div>As mentioned before, I don't have a problem with ISPs (recording my online activities, metadata, etc). I just have a problem with hackers, and anyone else fiddling with our security updates and TLS sessions; as we all do, no doubt.</div><div><br></div><div>The last time I looked into using OpenWRT, Tomato and DD-WRT (a few years ago), I noticed their firmware image files (on their websites) were very out of date (more-so than regular consumer router firmware), some were 2+ years old, so I assumed they weren't being actively patched at all. Do you get regular updates with OpenWRT? E.g. did you, following the various OpenSSL vulnerabilities?</div><div><br></div><div><br></div><div><br><br>On Wednesday, 21 October 2015, Pavel Volský <<a href="mailto:pavel.volsky@gmail.com">pavel.volsky@gmail.com</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi Dirk,<br>ever heard about OpenWRT? I'm running it without any problems for last 3+ years at home.<br>List of supported devices is here -> <a href="http://wiki.openwrt.org/toh/start" target="_blank">http://wiki.openwrt.org/toh/start</a><div><br></div><div>No one can ensure you that your connection to your ISP is super secure. They will do their best (the least minimum to sell the product) to keep you happy.<br><br>If you have trust issues I suggest to "bypass" the ISP. Get a VPS at any hosting you trust and build your VPN server there. <br>With the OpenWRT it is easy to setup a site-to-site VPN and tunnel everything there. <br>Additionally do packet inspection. <br><br>Good luck!<br>Pavel<br><br><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On 21 October 2015 at 12:43, Dirk <span dir="ltr"><<a href="javascript:_e(%7B%7D,'cvml','justanothergreenguy@gmail.com');" target="_blank">justanothergreenguy@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">No, I don't trust my modem router (and nobody should IMHO) given how easily they're getting hacked, and how infrequent the firmware is updated (if at all). Router security has been found time and time again to be poorly implemented (eg. in some cases you can't disable UPnP (despite ticking the checkbox), can't disable WAN-side admin (despite ticking the checkbox), WPS is broken, port 32764 funny games, services running inside the router that shouldn't be, etc etc). Anyway, best not to trust a consumer router. It's an easy target for hackers these days. Better to treat it like a public wifi hotspot.<div><br></div>I trust my ISP a lot more than my modem router. I rely on a reduced set of valid TLS certs (including OCSP verification) to ensure I'm connecting to the right destinations. I trust my ISP pays far more attention to maintaining its network security, than router manufacturers do in maintaining their products after purchase. I think that's a reasonable position to take.<div><br></div><div>I agree with you that security can be broken anywhere along the line (stolen private TLS certs, malverts served up, etc), but we're all in the same boat. We're all relying on TLS certs, strong encryption, strong server-side user authentication, etc).</div><div><br></div><div>Agreed, RPi firmware may already contain a backdoor. Just an option I was going to look into down the track, for defeating persistent threats like BIOS malware.</div><div><br></div>At the end of the day, I should at least be able to fetch uncorrupted package lists and security updates for my Linux OS.<div><br></div><div>I still suspect my router, and was hoping a VPN to a trusted ISP would be an easy solution, to defeat any funny games inside my home router.<br></div><div><div><br></div><div>What do you all do to ensure you're getting a trustworthy connection to your ISP?</div><div><br></div><div>Do you all trust your home routers?<div><div><br><div><br></div><div><br></div><div><br><div><br><br>On Wednesday, 21 October 2015, Brad Campbell <<a href="javascript:_e(%7B%7D,'cvml','brad@fnarfbargle.com');" target="_blank">brad@fnarfbargle.com</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 20/10/15 13:17, Dirk wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Oops, my error, I think I'm already using PPPoE. But don't you lose the<br>
firewall of NAT (re unsolicited traffic) in pass-through mode? ...and a<br>
MITM in the modem could still play funny games if your traffic isn't<br>
encrypted from your computer.<br>
</blockquote>
<br>
In my case NAT is performed on the server that handles the PPPoE connection. You appear not to trust your modem, but seem to have implicit trust in your ISP and everything between the ISP and what you are connecting to.<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Am I wrong in thinking a VPN (set up on the PC, not in the<br>
router) would offer far greater security through an (any) untrusted<br>
router? I mean, isn't that what is recommended for people logging into<br>
their corporate network remotely (say from a hotel, etc)...?<br>
</blockquote>
<br>
As I said above, if the only piece of untrusted gear is your home router, then yes the VPN will help. Your faith in everything else being completely trustworthy is misplaced however.<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
As far as I know, the RPi incorporated the GPU driver with the OS in the<br>
one big blob that goes on the SD card. As such, you can verify the<br>
integrity of everything volatile / rewriteable before using it, with a<br>
simple MD5 checksum across the whole SD device. ...but I may be mistaken :)<br>
</blockquote>
<br>
So what if the blob already contains a backdoor? No point verifying the MD5 of a compromised blob.<br>
<br>
If you are really concerned, talk to some real IT security professionals and do a proper Threat, Vulnerability & Risk Assessment (TVRA). Manage the real risks rather than the perceived risks.<br>
<br>
I get the idea you seem to think your highest level risk is a firmware compromise. Lets start from basics. What are you actually trying to protect against? (ie what threat are you mitigating by cutting the router out of the loop?)<br>
<br>
<br>
<br>
_______________________________________________<br>
PLUG discussion list: <a>plug@plug.org.au</a><br>
<a href="http://lists.plug.org.au/mailman/listinfo/plug" target="_blank">http://lists.plug.org.au/mailman/listinfo/plug</a><br>
Committee e-mail: <a>committee@plug.org.au</a><br>
PLUG Membership: <a href="http://www.plug.org.au/membership" target="_blank">http://www.plug.org.au/membership</a><br>
</blockquote></div></div></div></div></div></div>
<br>_______________________________________________<br>
PLUG discussion list: <a href="javascript:_e(%7B%7D,'cvml','plug@plug.org.au');" target="_blank">plug@plug.org.au</a><br>
<a href="http://lists.plug.org.au/mailman/listinfo/plug" rel="noreferrer" target="_blank">http://lists.plug.org.au/mailman/listinfo/plug</a><br>
Committee e-mail: <a href="javascript:_e(%7B%7D,'cvml','committee@plug.org.au');" target="_blank">committee@plug.org.au</a><br>
PLUG Membership: <a href="http://www.plug.org.au/membership" rel="noreferrer" target="_blank">http://www.plug.org.au/membership</a><br></blockquote></div><br></div>
</blockquote></div>