|
|
Subscribe / Log in / New account

OpenWrt and self-signed certificates

By Jake Edge
November 18, 2020

The move to secure most or all of web traffic using HTTPS is generally a good thing; lots of personal information is exchanged via web browsers, after all. Using HTTPS requires web sites to have TLS certificates, however, which has sometimes been an impediment, though Let's Encrypt has generally solved that problem for many. But there are systems out there that may need the HTTPS protection before their owners even have a chance to procure a certificate, IoT devices and home routers, for example. An October discussion among OpenWrt developers explored this problem a bit.

OpenWrt is a distribution that targets wireless routers for the home and it provides a configuration interface, called LuCI, as a web application running on the device. Users can connect to the device over unencrypted HTTP, but that may be problematic in certain environments. By default, LuCI does not listen on the internet-facing side of the router, but is available via both wired and wireless access on the local network, though the wireless network is not enabled by default for OpenWrt. Since the router's authentication credentials could potentially be intercepted by malicious actors, many will want to only enable LuCI over HTTPS.

The project has suggestions for securing access to LuCI, including enabling HTTPS-only access. But LuCI comes with a self-signed TLS certificate, so users will have to click through a browser security warning every time they access LuCI, which is not a great user experience. There are instructions for creating a new self-signed certificate and installing it on the device and on the client side so that the warnings are silenced. That mechanism has a number of downsides, not least that the new certificate needs to be installed on every system that will be used to access LuCI.

In theory, getting a certificate from Let's Encrypt would solve many of the problems, but that solution is not without hurdles either. For one thing, Lets Encrypt uses the Automated Certificate Management Environment (ACME) protocol, which requires that the system requesting the certificate be connected to the internet. Beyond that, a device will need a domain name that can be used by the issuing server to connect to them; obviously, "luci.openwrt" and similar sorts of names that are currently being used will not work for that purpose.

On the openwrt-devel mailing list, "abnoeh" proposed a somewhat complicated scheme that would provide a means for OpenWrt router devices to get working certificates. A "technically constrained subordinate CA" would be created that could sign certificates for sub-domains of "luci.openwrt.org", though it is not entirely clear which existing CA would be willing to sign subordinate CA keys—Let's Encrypt and DigiCert are mentioned as possibilities. The proposal calls the new CA the "OpenWrt CA".

A router that needs a certificate contacts the OpenWrt CA over an encrypted channel and sends its SSH host key; the CA hashes the key and reserves the "SSH-hash.luci.openwrt.org" host name for the device. The OpenWrt CA sends back a nonce to the router, which creates a certificate signing request (CSR), hashes it, and then signs the hash, nonce, and a timestamp using its SSH host key. The CSR and signed message are sent back to the OpenWrt CA, which verifies the information and signature, signs the certificate, and sends it back to the device. At that point, the router has a valid certificate; it can intercept connections to SSH-hash.luci.openwrt.org, route them to itself, and LuCI over HTTPS can be used without browser warnings, though the host name is perhaps not the friendliest.

There are still some problems to be solved, of course and routers that are not already connected to the internet will be unable to participate. In addition, abnoeh noted that the project would need to run the OpenWrt CA server and figure out a way to reasonably rate-limit requests from clients. There is also a question of what the openwrt.org DNS servers should return when SSH-hash.luci.openwrt.org requests are made.

Michael Richardson wondered if the project could find a CA that would be willing to set up the subordinate CA and whether the CA/Browser Forum (CABForum) rules will allow what is needed. If the subordinate CA violates those rules, the browser makers would remove the parent CA from the browsers unless it revoked the subordinate, which would be a horrendous mess. But abnoeh thinks those rules do not prevent the usage suggested.

Abnoeh did ask if it made sense to dispense with HTTPS entirely, though, and to wrap LuCI with SSH instead. Alberto Bursi suggested considering mobile apps on Android and iOS as a way of sidestepping the HTTPS certificate problems, but Sam Kuper cautioned that an app wouldn't necessarily solve the problems, even though it seems like an attractive approach. There are some users who lack a device to run the app, for one thing, but the app will also have to deal with certificate issues in one form or another. "Ultimate[ly], SSL/TLS on IoT is a hard problem: the two technologies are currently not *fully* mutually compatible without imposing some burden on the user."

Some were not sure of the need for CA-issued certificates, however, at least by default. Fernando Frediani said that most OpenWrt users would not find it strange to have to click through the certificate warning and, for the most part, LuCI is only accessed from trusted networks. But Richardson cautioned that those assumptions may lead to unexpected kinds of problems:

As a result, most devices are [accessible] only from internal networks, and usually never exposed to the Internet. Default passwords remain unchanged, and malware infected a vulnerable PC easily attacks the OpenWRT LuCI interface.

Bursi said that OpenWrt users already have to jump through a fair number of hoops to even get it running on their devices, so it is probably a mistake to think that they will not change the root password; by default, OpenWrt does not enable WiFi, for example, which is probably not what these users are looking for:

Then after they did that they decide to leave the device as-is with default config with LAN/Wan routing and no wifi, which is in most cases plain worse than what the stock firmware offers?

Many in the thread thought that abnoeh's idea was worth pursuing to make it easier for users who do want a real certificate, but Bas Mevissen suggested that the proposal might be "making things more difficult than they need to be". Owners should be doing the initial install on a trusted LAN and configuring the device before connecting it to the internet or allowing others to use it.

So I think it is reasonably safe to do the initial setup over HTTP (without the "S") at the first boot if there are no certificates available from a previous OpenWRT install. Then the user can setup the WAN side if needed and upload (from local PC), generate (self-signed) or acquire (e.g. Let's Encrypt) the certificates for Luci. After that, the connection is switched to HTTPS and HTTP switched off.

The main concern that Mevissen had was about how to transfer credentials to a new install. "Even though the user/admin should be alone on the connection, sending those unencrypted over the line is not desirable." Abnoeh suggested using a USB drive to transfer those kinds of credentials, at least for systems that have a USB port.

Richardson wondered about less technically savvy users, though. Mevissen said that OpenWrt should simply "aim to get the best possible security with the least effort (on user side) possible". Mevissen noted that other routers typically come with self-signed certificates for their administrative interfaces, so OpenWrt would not be out of step to do so; providing users with ways to replace that certificate is important, but the complexity of abnoeh's proposal does not seem needed.

OpenWrt is far from alone in having this problem; as noted, IoT devices have it as well. Other web-based administrative interfaces (e.g. Webmin, Cockpit) have similar certificate-bootstrap problems, though they may generally target folks who are more technical than your average home user. For good or ill, secure web access was tied to the CA system from the outset—with the self-signed option as an escape hatch. The CA model does not work for all use cases, by any means, and the escape hatch is slowly closing, however. It is not entirely clear what systems that want to provide secure HTTP access in restricted environments of various sorts (e.g. no domain name, no internet connection) can do—at least without compromising the existing HTTPS security story for other users, especially those of a less-technical bent.


Index entries for this article
SecurityDistribution security
SecuritySelf-signed TLS/SSL certificate

to post comments

OpenWrt and self-signed certificates

Posted Nov 18, 2020 22:49 UTC (Wed) by Cyberax (✭ supporter ✭, #52523) [Link] (22 responses)

Why not provide HTTP interface on the LAN interface only? Yes, it's theoretically vulnerable but it should be fine for setting up the HTTPS initially.

OpenWrt and self-signed certificates

Posted Nov 18, 2020 23:02 UTC (Wed) by gray_-_wolf (subscriber, #131074) [Link]

I believe that is alread the case (quoting from the article):

> By default, LuCI does not listen on the internet-facing side of the router, but is available via both wired and wireless access on the local network, though the wireless network is not enabled by default for OpenWrt.

I've "solved" this by tunelling the luci over ssh and connecting to localhost. Seems to work well enough.

OpenWrt and self-signed certificates

Posted Nov 18, 2020 23:41 UTC (Wed) by thumperward (guest, #34368) [Link] (7 responses)

https-only is coming to browsers. openwrt is far from the only place where this is going to cause problems. An overwhelming majority of net-oriented development tools (such as programming language dev servers, and cloud systems labs that assume flinging nginx onto a box will let its connectivity be tested) assume that browsers will accept unencrypted traffic.

openwrt is probably in a better situation than most of these use cases to be honest. At least there's plenty of work already in the wild permitting domestic routers to handle this.

OpenWrt and self-signed certificates

Posted Nov 19, 2020 0:58 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link] (6 responses)

> https-only is coming to browsers.
There are no plans to disable HTTP completely. With the amount of other IoT stuff that uses HTTP internally.

And anyway, self-signed HTTPS certs are unlikely to go away either.

OpenWrt and self-signed certificates

Posted Nov 19, 2020 10:36 UTC (Thu) by LtWorf (subscriber, #124958) [Link] (5 responses)

Try accepting a self signed on chrome on winows… Last I tried I failed to do it and had to use firefox.

OpenWrt and self-signed certificates

Posted Nov 19, 2020 15:52 UTC (Thu) by Lennie (subscriber, #49641) [Link] (2 responses)

Well... https://www.zdnet.com/article/chrome-will-soon-have-its-o... :-)

OpenWrt and self-signed certificates

Posted Nov 21, 2020 17:33 UTC (Sat) by LtWorf (subscriber, #124958) [Link] (1 responses)

It's not all bad… because of reasons I was using windows XP the other day, and basically internet is unusable because of https and severely old certs that are on XP. I installed chrome on it.

OpenWrt and self-signed certificates

Posted Nov 23, 2020 22:52 UTC (Mon) by Lennie (subscriber, #49641) [Link]

You touch on an other subject: old software and encryption, etc.

I'm very much for something like archive.org making old software run again so people can use it as it used to be used.

I'm amazed at what has been possible: https://archive.org/details/win3_stock

https://bellard.org/jslinux/vm.html?url=win2k.cfg&mem...

But as we've seen for example Apple had a service which was used to check developer signing certificates. These kinds of things will make it harder and harder to keep old software running.

And full disk encryption will mean a device which isn't in use anymore because someone dies the data might be gone.

The reason the dark ages are called the dark ages is because we didn't have much books/records from then. We might be entering (if not already have) digital darkages.

OpenWrt and self-signed certificates

Posted Nov 22, 2020 10:24 UTC (Sun) by shx (guest, #105604) [Link]

I ran into similar issues but that turned out to be a problem with an malformed certificate create by an old Juniper. The unexpected new information was that still a lot of the browser TLS stack is bound to the TLS library shipped with your OS, which results in browsers behaving differently on different operating systems, especially Chromium based browser. Probably the most consistent experience has Firefox due to NSS and the root cert store they ship. But than again distro builds might differ.

OpenWrt and self-signed certificates

Posted Aug 4, 2021 3:24 UTC (Wed) by Divadeer (guest, #153561) [Link]

You have to add the certificate to the windows certificate store. There are several different "substores" to put it in. Do not put it in personal. Add it to the Trusted Root Certificates Directory. I just checked and chrome uses windows certificate store by default. So if it is trusted by your operating system then it will be trusted by chrome.

OpenWrt and self-signed certificates

Posted Nov 19, 2020 12:22 UTC (Thu) by epa (subscriber, #39769) [Link] (12 responses)

Why not provide HTTPS with a single certificate shared between all OpenWrt devices? It's not particularly secure but it is not any worse than unencrypted HTTP. Again, it can be provided on the LAN interface only (and possibly restricted further, like only available when there is a single LAN client). Once initial setup is complete, a new certificate can be generated for HTTPS. The initial setup with a shared certificate would have to have a special hostname.

OpenWrt and self-signed certificates

Posted Nov 19, 2020 15:58 UTC (Thu) by Lennie (subscriber, #49641) [Link] (9 responses)

This might be the right answer.

Have a local name: local.openwrt.org which has a known certificate and which can automatically be downloaded/updated.

It's not more secure, but at least more convenient.

The DNS-server on the OpenWRT device would overwrite* the name with it's own IP and thus a DHCP-client when resolving that name would point directly that OpenWRT device.

* For example Unbound has the local-data option:

https://nlnetlabs.nl/documentation/unbound/unbound.conf/

OpenWrt and self-signed certificates

Posted Nov 19, 2020 22:42 UTC (Thu) by Fowl (subscriber, #65667) [Link] (4 responses)

Such a certificate would be immediately revoked. This has been tried before.

OpenWrt and self-signed certificates

Posted Nov 20, 2020 4:53 UTC (Fri) by tialaramex (subscriber, #21167) [Link] (1 responses)

And obtaining such a certificate with this intent is also a violation of your subscriber agreement. The issuer _probably_ won't do anything about that, but they're entitled to do so if they wish. Knock it off.

OpenWrt and self-signed certificates

Posted Nov 20, 2020 8:34 UTC (Fri) by Lennie (subscriber, #49641) [Link]

It would 100% need to be in agreement with the issuer.

And possibly the CA/B forum.

OpenWrt and self-signed certificates

Posted Nov 23, 2020 14:22 UTC (Mon) by epa (subscriber, #39769) [Link] (1 responses)

What happens if you make a certificate not for a hostname but for a particular IP address like 192.168.1.1? That address is reserved for local networks and not routable on the Internet. To get to the site, you have to enter the IP address in the URI bar (it can't be used for a hostname, even if DNS is changed to return 192.168.1.1 for that name). The certificate issuer might be prepared to allow a shared certificate under these restrictions, and Mozilla and others might be prepared to accept it. Possibly the browser, rather than its usual secure padlock item, should show a warning and require an explicit step to view the page.

OpenWrt and self-signed certificates

Posted Nov 23, 2020 22:29 UTC (Mon) by Lennie (subscriber, #49641) [Link]

Yeah maybe, I don't know what they would allow.

None of it is ideal obviously.

OpenWrt and self-signed certificates

Posted Dec 3, 2020 11:49 UTC (Thu) by akvadrako (guest, #131971) [Link] (3 responses)

Or you could use Let's Encrypt with a wildcard DNS certificate. Then you could make a public domain which can be used for each local IP:

router.small-2.local.net A 192.168.2.1
router.big-2.local.net A 10.0.2.1

OpenWrt and self-signed certificates

Posted Dec 3, 2020 23:38 UTC (Thu) by Fowl (subscriber, #65667) [Link] (2 responses)

You would then need to route/centrally re-encrypt the traffic too, otherwise you're leaking the private key.

OpenWrt and self-signed certificates

Posted Dec 4, 2020 18:19 UTC (Fri) by akvadrako (guest, #131971) [Link] (1 responses)

The private key is shared publicly with all servers. This is just to trying to be better than HTTP.

OpenWrt and self-signed certificates

Posted Dec 5, 2020 4:07 UTC (Sat) by Fowl (subscriber, #65667) [Link]

Once discovered (ie. almost immediately) such public “private” keys are revoked.

OpenWrt and self-signed certificates

Posted Nov 20, 2020 15:15 UTC (Fri) by mebrown (subscriber, #7960) [Link] (1 responses)

This opens users up to all kinds of man in the middle attacks. sharing certs between devices is a terrible idea.

OpenWrt and self-signed certificates

Posted Nov 22, 2020 4:52 UTC (Sun) by diamondlovesyou (subscriber, #119529) [Link]

MITM doesn't matter here though. HTTP (no S) also suffers from this issue but it isn't (currently) stopping anyone.

OpenWrt and self-signed certificates

Posted Nov 18, 2020 23:42 UTC (Wed) by gutschke (subscriber, #27910) [Link] (10 responses)

It might be worthwhile reaching out to browser manufacturers. I am not convinced that a special-purpose CA is quite the right place to address this issue. But I wouldn't be surprised if browsers already had access to enough information that they could securely establish the initial encrypted connection with a locally connected IoT device. A clean protocol for doing this properly would help a lot more than just OpenWRT. IoT devices are only becoming more prolific, and browsers are only becoming more strict about enforcing HTTPS everywhere.

OpenWrt and self-signed certificates

Posted Nov 19, 2020 1:57 UTC (Thu) by NYKevin (subscriber, #129325) [Link] (7 responses)

> But I wouldn't be surprised if browsers already had access to enough information that they could securely establish the initial encrypted connection with a locally connected IoT device.

Maybe. It's complicated and depends on exactly what guarantees you are going for. In general, TLS seeks to establish authenticity in addition to confidentiality, but it's unclear what that means in the context of a home network. First, we need to establish a threat model. For the sake of argument, let's assume a simple WPA-PSK system (which most people are likely to have in their homes these days). Here are some threats we might want to protect against:

0. Passive eavesdropper, does not have the WLAN password. WPA is supposed to protect against this even in the absence of TLS, but I've heard mixed things about how well it accomplishes that.
1. Passive eavesdropper, connected to the WLAN. WPA-PSK does not defend against this attacker, since everyone has the same encryption key. We need confidentiality, but authentication is not required, so it would be enough to convince the browser to stop displaying self-signed cert warnings.
2. Active eavesdropper, connected to the WLAN. MitM attacks may be possible depending on a variety of circumstances, so some sort of authentication is required.

Case 0 is probably the most common, but case 2 is the most worrying. During the initial DHCP negotiation, I'm not sure how you're supposed to prove that "I'm really a legitimate access point, not an imposter pretending to be an access point." Everyone on the network has the shared key, so it seems like everyone ought to be able to impersonate an access point. And if you can't bootstrap trust from the DHCP lease, then I really don't see how it is meant to be established.

One thing I could imagine, is the router/modem acquiring some kind of certificate asserting that it is responsible for 2001:db8:1234:ABCD::/64, using some sort of ICMP packet which the ISP's equipment can directly verify, and which the ISP's router/modem will not forward from inside the network (so you can be sure that only the router/modem is able to request it in the first place). Under IPv6, you could then use that as a trust anchor. But I don't see how that works in IPv4, because NAT breaks everything (a certificate based on the external IP address will be useless inside of a NAT). Unfortunately, I've never heard of such a standard.

OpenWrt and self-signed certificates

Posted Nov 19, 2020 2:18 UTC (Thu) by nivedita76 (subscriber, #121790) [Link] (2 responses)

This wouldn't work for the OpenWRT use case, but most devices will have a serial number on them. If you can get confidentiality, the access point can display its serial number, which can be verified physically by the user.

Almost but not quite

Posted Nov 19, 2020 3:59 UTC (Thu) by tialaramex (subscriber, #21167) [Link] (1 responses)

This is akin to a trick banks do (e.g. one of mine shows me an image I picked), and it doesn't actually work against an attacker putting any real effort in. The problem is that an imposter can selectively relay information between the parties, only the _authentication_ layer prevents that happening, not confidentiality, so if either party is unauthenticated or is mistaken about who the other party is, the subterfuge is successful.

Say your WiFi router spins up and it displays the serial number 12345-54321 so you know you've done this correctly. An imposter system just connects, scrapes 12345-54321 and when you connect to the imposter, it shows 12345-54321 which is correct so you assume you're talking to the real WiFi router.

You're almost right though, physical markings on a device can function as an out-of-band trust lever without having enough entropy to actually be secure on their own. You just can't do it this way. Use a PAKE

WPA3 actually uses a PAKE, but the one they used is rubbish. Fortunately an IETF research group spent a bunch of effort identifying some good PAKEs to recommend everywhere that the IETF needs a PAKE. I believe the appropriate choice in this case is CPace

https://datatracker.ietf.org/doc/draft-irtf-cfrg-cpace/

Almost but not quite

Posted Nov 20, 2020 7:31 UTC (Fri) by fulke (guest, #140430) [Link]

What about to print public key?

OpenWrt and self-signed certificates

Posted Nov 19, 2020 3:36 UTC (Thu) by tialaramex (subscriber, #21167) [Link] (2 responses)

Firstly good news on WiFi PSKs. In WPA3 we get what you'd expect a modern baseline to look like instead of whatever was cobbled together by people who didn't know any better previously. So OpenWrt can choose to offer that (on new enough hardware anyway).

So, in WPA3 modes a passive eavesdropper can't snoop the network layer. Participants are always using random ephemeral keys, even if there's an "open" network (ie no password). Active attacks are still possible, although some of the most attractive are just to downgrade to WPA2 or earlier, which is something clients can unilaterally defend against on a TOFU basis (e.g. your phone remembers "This network has WPA3" and refuses to downgrade to WPA2 unless you manually delete and re-add the network).

But you're correct that one essential must-solve problem for projects like OpenWrt is that authenticity depends upon having some global identity. You can't prove you're Bob unless all participants are agreed in principle about who Bob even is. Proposals that say well, we'll just punt and pretend there is local scope identity are dead in the water. Even RFC 1918 was probably a mistake in hindsight, it turns out that we are in fact all in this together, and so meaningful identity has to be global.

You're not missing anything, you do need an out-of-band step somewhere to establish trust or you're stuck with TOFU. For physical IoT devices I'd suggest that their best out-of-band mechanism is physical marking. Because OpenWrt is flashed to existing devices they're in a trickier situation, and maybe (if you aren't buying a device that's supplied with OpenWrt out of the box) the best way forward is to do that trust step during the flashing process?

OpenWrt and self-signed certificates

Posted Nov 19, 2020 18:51 UTC (Thu) by NYKevin (subscriber, #129325) [Link] (1 responses)

> Because OpenWrt is flashed to existing devices they're in a trickier situation, and maybe (if you aren't buying a device that's supplied with OpenWrt out of the box) the best way forward is to do that trust step during the flashing process?

If you have a direct, wired connection to the router, then the user should be able to physically verify the fact that it's a single cable and not e.g. a hub, switch, bus, or some other nonsense that allows multiple devices on the same segment. You can then establish trust over a link-local connection (or you can do actual DHCP over the wired connection first, if you really want to). This can be done at time of flashing or at any point thereafter.

Downsides:

* Requires the user to physically verify the network topology, which means it can't be fully automated.
* The user has to know what a "direct wired connection" means. This is a low bar for someone who is personally flashing their router, but it might be more of a problem for general consumers. There may also be social engineering attacks to consider. Plenty of people will set up an OpenWrt router once, and then hand it off to someone with poor technical skills (e.g. if you're setting up a family member's home network), so allowing this after the point of flashing may be a bad idea. OTOH, if you can't do this after flashing, then you have a problem if you ever need to re-establish trust from scratch (e.g. trust store accidentally deleted, hardware failure, etc.).
* If the device is simultaneously connected to the router over a wire and over WLAN, the browser or other trust agent must force a wired connection. This is doable on most systems, but might pose challenges if you want a general, cross-platform solution (even just on Linux, figuring out which network interface is "the right network interface" is an inconsistent mess in my experience). Alternatively, we need to disconnect from the wireless network altogether, or have some kind of OS-level support for this whole operation.
* Although many home networks do have a PC permanently wired into the router, this does nothing for any of the other devices on the network, which might be important if you have a laptop or something which has to trust the router. You would still need some kind of PAKE-like solution for expanding trust beyond that one PC. But at least you now have a means of generating and displaying a PAKE in a trusted fashion.

Overall, I am not thrilled with this idea, but I think it could work for situations where we know or reasonably believe that a technically proficient user is doing the initial setup.

OpenWrt and self-signed certificates

Posted Jan 11, 2021 19:17 UTC (Mon) by immibis (subscriber, #105511) [Link]

The router *is* a switch. Here's a typical architecture (data flow from top to bottom, not all components shown)

User

User's computer

Wire

RJ45 port on the router - stuff below this line is inside the plastic box that we call a "router"

Ethernet switch <--> CPU <--> Internet port

Wi-Fi access point

Antenna connector - stuff above this line is inside the plastic box that we call a "router"

other computers connected to Wi-Fi

In other words, the router's CPU does not get to intercept all traffic and therefore cannot prevent an ARP poisoning attack.
When you connect to 192.168.0.1 your computer first broadcasts a packet asking "what is the MAC address for 192.168.0.1?". If the first response it gets is *not* from the router's CPU, too bad. It will cache the MAC address of some other computer that maliciously replied. Then it has no way to know that that computer isn't the "real" 192.168.0.1. In fact, it might be the real 192.168.0.1 - how does it know you didn't change the router's address to 192.168.0.2?

And because the CPU is not in the path between your computer and other computers, it can't block that packet. Advanced switches support packet filtering but they wouldn't put an advanced switch in a home router, too expensive.

OpenWrt and self-signed certificates

Posted Nov 19, 2020 17:35 UTC (Thu) by marcH (subscriber, #57642) [Link]

> In general, TLS seeks to establish authenticity in addition to confidentiality, but it's unclear what that means in the context of a home network. First, we need to establish a threat model ...

Thanks for laying out some high-level, conceptual issues and security requirements; something I wish the article had started with instead of the implementation details.

About the project itself I understand people love to code but I think it would avoid confusion and disappointments to discuss, clarify and publish the basic security requirements and objectives before sketching some new "on-the-fly PKI" system. These questions are indeed relevant far beyond OpenWRT and other comments here have unsurprisingly mentioned other efforts outside OpenWRT to solve the same issues.

I'm afraid they are only two high-level approaches to prove who you are on the Internet: centralized Public Key Infrastructure (https,...) versus peer to peer (ssh, PGP, self-signed https,...) So the very first question OpenWRT should answer is which approach it wants to support? Both? It should be obvious that you can't bootstrap a centralized approach without network access, no need to get lost in the implementation details to realize this.

Another very important question is indeed: does an OpenWRT router really want to prove who it is? Or just encrypt with an understood and accepted MitM security risk? Give the user the choice?

Another one: why can we choose "Yes, I will keep trusting this ssh server until further notice" on the very first connection attempt but not do the same with an https browser? Leading to awkward "solutions" like tunneling https (and other things...) in ssh, our security swiss army knife? For the record I set up my OpenWRT router with a back to back cable totally disconnected from everything else.

It's great OpenWRT developers look at these questions. It's not great they seem to look at them in the narrow scope of the OpenWRT code.

OpenWrt and self-signed certificates

Posted Nov 19, 2020 17:31 UTC (Thu) by excors (subscriber, #95769) [Link] (1 responses)

Apart from routers, are there a significant number of IoT devices that care about being directly accessible from a web browser? In the ones I'm aware of, pretty much all the communication between user and device is:

* Over wifi where the IoT device behaves as a WAP, and a mobile app temporarily connects the user's phone to that WAP and communicates using some arbitrary protocol (maybe HTTPS, maybe not)
* Over BLE, where a mobile app connects the user's phone to the device with some custom protocol (definitely not HTTPS)
* Through the cloud. The device connects outwards to a cloud server via wifi, or via some short-range protocol to an internet-connected gateway device. The user connects to the cloud with a web browser or mobile app or whatever. The cloud passes messages between user and device.

Web browsers are only relevant for the last of those, and they're just connecting to a regular cloud web server which can use regular CAs. The device only connects to a custom app or to a custom cloud server, which can authenticate the device using a custom CA.

It's not clear to me that a solution for OpenWrt would be of any relevance for other IoT devices, because they have no interest in being directly accessible over HTTP(S) anyway.

OpenWrt and self-signed certificates

Posted Nov 20, 2020 18:38 UTC (Fri) by nix (subscriber, #2304) [Link]

Networked printers are another big one. With the shutdown of Google Cloud Print they are more or less all now restricted to direct HTTP(S), plus the usual IPP or whatever printing protocol.

OpenWrt and self-signed certificates

Posted Nov 19, 2020 0:07 UTC (Thu) by nybble41 (subscriber, #55106) [Link] (2 responses)

This seems vaguely similar to my previous proposal to have browsers recognize special domain names containing TLS host key fingerprints with matching self-signed keys as equivalent to DV CA certificates. If one can arrange to respond to an HTTPS request directed at 7wtdghe4­zqrh3w3c­nbjjlmvo­6fdpcnhm­7ijini2z­ryoliee7­6maq.local (for example) with a self-signed TLS key matching that fingerprint then there is no reason to think that this is not the authoritative device servicing requests for that domain. Sure, the full SHA-256 fingerprint in base32 is a bit unwieldy, but that just means users will need to bookmark the domains on first use—thus ensuring that they get the correct device for all later connections. (And the fingerprint could always be truncated to make the name shorter, with the obvious security/convenience trade-off.)

OpenWrt and self-signed certificates

Posted Nov 20, 2020 15:20 UTC (Fri) by mebrown (subscriber, #7960) [Link] (1 responses)

.local implies mdns and that works only on the same ip subnet, so this isnt a general solution, if I'm understanding the proposal correctly.

OpenWrt and self-signed certificates

Posted Nov 20, 2020 15:44 UTC (Fri) by nybble41 (subscriber, #55106) [Link]

Technically mDNS can work across subnets if you configure a system connected to both networks to perform reflection (enable-reflector=yes and reflect-ipv=yes in the [reflector] section in avahi-daemon.conf), and if you want to manage local devices across multiple private subnets then you should probably do that. But yes, like most of the other proposals this would mainly be aimed at connecting to local devices on the same subnet.

It's not strictly necessary that the name end in .local, though. It could be expanded to include any name on the Public Suffix List, which would allow the use of dynamic DNS services or vendor-specific domains (as long as they register as public suffixes, which is a good idea in any case).

OpenWrt and self-signed certificates

Posted Nov 19, 2020 0:53 UTC (Thu) by pabs (subscriber, #43278) [Link] (1 responses)

Browsers should probably have TOFU-based trust pools on a per-network-connection basis for the self-signed certs of local network services.

OpenWrt and self-signed certificates

Posted Nov 22, 2020 17:02 UTC (Sun) by mmonaco (guest, #84041) [Link]

This. This whole technical problem on the OpenWRT side seems like a workaround for browsers not having a similar, optional (?), TOFU model to SSH.

OpenWrt and self-signed certificates

Posted Nov 19, 2020 1:26 UTC (Thu) by mjoconr (subscriber, #50340) [Link]

Why not use ssh as the transport, ssh all ready has a system for checking the identity of a remote device and a localhost redirect would allow web or app access.

The ssh fingerprint could be checked by having them printed on the device. Pre-generation of the ssh identity would be needed by device suppliers.

A simple app which does the ssh redirection setup could be download able from the router for windows and macos users and instructions for linux users. (on port 80)

OpenWrt and self-signed certificates

Posted Nov 19, 2020 1:40 UTC (Thu) by tialaramex (subscriber, #21167) [Link]

First of all let me underscore that the "technically constrained subordinate" approach won't happen.

Certificate Authorities in the Web PKI have to obey not only the CA/B Baseline Requirements but the policies of each major root trust store, ie Microsoft, Apple, Google† and most importantly for us, Mozilla. The intent of the BRs is that they encapsulate a coherent subset of these policies to try to avoid cases where the root store policies are contradictory - though they're perhaps not always successful for various reasons - but they do not now and never have replaced or subsumed the root store policies.

Mozilla policy does exempt certain types of technically constrained subordinate _but_ not in a way that's useful to OpenWrt here and that's intentional. All of the Web PKI is covered and OpenWrt wants Web PKI certificates so that they work in a browser. So e.g. all of Mozilla policy 3.1 on audits would apply to this subordinate. In practice it would have to live at the root CA's facilities on hardware they control or the liability concerns would be unbearable for them.

It is true however that OpenWrt is far from alone in having this problem. There are groups trying to figure out a way forward that would both be acceptable to the OS and browser vendors (so it works in your browser) and to those who make devices and firmware. This is a good time for somebody from OpenWrt to go out and talk to people in that space, and put OpenWrt's weight behind approaches that would suit them specifically before momentum is established on one route forward.

† Historically Google's popular Chrome browser did not have its own root store, but Android and Chrome OS did, however this is now changing, all Google products (except on iOS where Apple decides how everything works) will move to their own root store in the coming months.

OpenWrt and self-signed certificates

Posted Nov 19, 2020 3:39 UTC (Thu) by pabs (subscriber, #43278) [Link]

It is pretty concerning that people are talking about default passwords, does OpenWrt not require people to set a password on first boot like TurrisOS (OpenWrt derivative) does?

OpenWrt and self-signed certificates

Posted Nov 19, 2020 7:29 UTC (Thu) by canihavesomecoffee (subscriber, #126723) [Link] (1 responses)

Can't they implement something alike to https://blog.heckel.io/2018/08/05/issuing-lets-encrypt-ce... ? I've experimented with this same idea in the past and that was a pretty neat way to get certificates on local devices.

Biggest downside of course will be that it relies on a community controlled domain/server where all OpenWRT instances will be depending on.

OpenWrt and self-signed certificates

Posted Nov 19, 2020 8:46 UTC (Thu) by PhilippWendler (subscriber, #126612) [Link]

That was also my first thought. There is no need for a subordinate CA, the "SSH-hash.luci.openwrt.org" idea can easily be used with Lets Encrypt itself. OpenWRT just has to provide a DNS service for this domain that allows everyone who proves ownership of the corresponding private key to edit that DNS record. Then ACME with DNS authentication can be used, which works as soon as the router can send DNS and HTTP requests to the internet. So like all other solutions, it might not help for the first initial setup, but at least the device does not need to be reachable from the internet, it can be done behind another router, for example. OpenWRT could even on its first boot send DHCP requests on its WAN interface, try to get an internet connection that way, and get a certificate. Then the installation instructions would just need to tell users to connect it to an existing router for the first boot.

OpenWrt and self-signed certificates

Posted Nov 19, 2020 10:03 UTC (Thu) by ale2018 (guest, #128727) [Link]

> The CA model does not work for all use cases

This!

Public Key cryptography solved a technical problem. PKI didn't solve the "social" problem of making it understandable.

OpenWrt and self-signed certificates

Posted Nov 19, 2020 13:03 UTC (Thu) by cesarb (subscriber, #6266) [Link] (2 responses)

For the particular case of IoT devices which listen only on the local network, a possible solution would be to take inspiration from what Tor does with its .onion hostnames: each device would be provisioned at the factory with a self-signed certificate, and would have a sticker with a random-looking .local address, that address being actually part of a hash of the certificate's public key; the user would type that address to configure the device. Browsers would have to be modified to accept self-signed certificates for .local addresses whenever the certificate's truncated public key hash matches the address. Of course, this idea would not help much with OpenWrt, since it's usually added after the fact instead of coming from the factory.

OpenWrt and self-signed certificates

Posted Nov 19, 2020 15:59 UTC (Thu) by nybble41 (subscriber, #55106) [Link]

You mean something like this? https://lwn.net/Articles/837676/

OpenWrt and self-signed certificates

Posted Nov 20, 2020 11:41 UTC (Fri) by arnout (subscriber, #94240) [Link]

> Of course, this idea would not help much with OpenWrt, since it's usually added after the fact instead of coming from the factory.

In most cases, the devices are not sufficiently locked down to hide the private keys installed on them. So when installing OpenWrt, the existing keypair can be recovered from it, which allows the OpenWrt-based system to provide the same certificate and address.

Devices that are properly locked down will typically not allow OpenWrt to be installed on them at all (which is a GPLv3 violation, but those devices will typically not have any GPLv3 on them).

OpenWrt and self-signed certificates

Posted Nov 19, 2020 20:40 UTC (Thu) by davidstrauss (guest, #85867) [Link]

>A "technically constrained subordinate CA" would be created that could sign certificates for sub-domains of "luci.openwrt.org", though it is not entirely clear which existing CA would be willing to sign subordinate CA keys—Let's Encrypt and DigiCert are mentioned as possibilities. The proposal calls the new CA the "OpenWrt CA".

My understanding is that the constrained subordinate CA properties are not well supported by many TLS libraries. The lack of support even includes dangerous effects like treating the CA as unconstrained (despite the property constraining the CA being marked as mandatory).

OpenWrt and self-signed certificates

Posted Nov 19, 2020 21:56 UTC (Thu) by flussence (guest, #85566) [Link]

I should be able to unplug the phone line and still have access to devices on my LAN. This problem is the fault of browsers blindly mandating centralised security for a decentralised internet, and it should be the responsibility of browsers to fix it.

OpenWrt and self-signed certificates

Posted Nov 20, 2020 20:35 UTC (Fri) by jo42 (subscriber, #59640) [Link] (1 responses)

At first, if these devices can't obtain a valid TLS certificate, they can never use QUIC.

And wouldn't it be possible to use DANE TLSA for this? When a host connects to a network it could ask the local router/DNS server to assign it's TLSA record to it's address and host name. So, if a hosts trusts the router and its DNS it could obtain the TLS fingerprints from this trust anchor.

OpenWrt and self-signed certificates

Posted Nov 20, 2020 22:55 UTC (Fri) by NYKevin (subscriber, #129325) [Link]

There are multiple problems with that. Let's say there are three devices:

- The router, DNS server, and/or whatever device or combination of devices is handing out IP addresses and establishing DNS records (R).
- The end user's computer, laptop, or other client (C).
- The other device which C wants to securely connect to (O). O can be the same device as R, or a different device (e.g. a Raspberry Pi, an IoT device, etc.).

Then:

1. C must trust R, and bootstrapping that trust is a hard problem (i.e. it can be MitM'd during initial DHCP negotiation, if there are untrusted devices on the same network).
2. R must trust O, and bootstrapping that trust is also a hard problem (unless O = R).
3. As described in RFC 8375, DNSSEC is not designed for domains with local significance (such as home.arpa.), so you would need to configure C to use a custom trust anchor (probably R). There is no standard way to make this happen automatically, and I'm not even sure if the average device exposes a way to do it manually. DNSSEC is an absolute requirement for DANE.
4. DANE is an unnecessary complication. If R is willing to let O create DNS records, it should also be willing to sign a CSR which asserts that O owns those records, and (assuming we've gotten this far) C should be willing to trust the resulting signed certificate just as much as it would have trusted a DANE-based certificate. If you insist on breaking this into a two-step process, you can use some form of ACME to prove DNS ownership.

In my estimation, 1 and 2 are the "real" problems, and 3 and 4 are more on the side of nitpicky details.

Of course, you can just say "there aren't any evil devices on my network, so I'll just trust everything implicitly," but I don't think browser makers are willing to make that the default behavior. Lots of consumer devices are hilariously insecure.

OpenWrt and self-signed certificates

Posted Nov 20, 2020 21:43 UTC (Fri) by rknight (subscriber, #26792) [Link]

One thing that is apparently missing from the discussion and most of the responses is that OpenWrt is no longer just for routers. There is a surprising number of non-router devices currently supported by OpenWrt to include cameras, NAS devices and a recent addition switches.


OpenWrt and self-signed certificates

Posted Nov 22, 2020 15:27 UTC (Sun) by isomer (subscriber, #90342) [Link]

This sounds very similar to what plex does: https://blog.filippo.io/how-plex-is-doing-https-for-all-i...

They issue wildcard certs for *.<hashofcert>.plex.direct, and then have a DNS rule that means that 192-0-2-1.<hashofcert>.plex.direct returns IN A 192.0.2.1.

OpenWrt and self-signed certificates

Posted Dec 5, 2020 8:59 UTC (Sat) by vmsh0 (guest, #140733) [Link]

I argue that the automatic certificate deployment thing would make the devices *less* secure.

When using self-signed certificates, you have the option to ask the browser to add the self-signed CA to its internal CA storage. From that point on, if your computer doesn't get compromised, you have a very straightforward way to authenticate the device: if the web browser doesn't say anything, you're good.

With this new, complicated system, you would instead have to notice that the hash in the URL bar changed. The web browser will not help you anymore!

Not that the kind of device would be particularly prone to device substitution or man-in-the-middle attacks: typical OpenWRT systems are small and physically contained. But it seems pointless to add complexity (very bad for sustainability!) and enlarge the attack surface to remove a very small annoyance for "casual" users.


Copyright © 2020, Eklektix, Inc.
This article may be redistributed under the terms of the Creative Commons CC BY-SA 4.0 license
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds