https://threatpost.com/juniper-backdoor-password-goes-public/115685/
It’s a good reminder.
Speaking of security… Mikrotik could make some improvements to the web site and forum by turning on TLS. Unencrypted firmware and checksum downloads (not to mention forum logins) will eventually be abused.
Agreed. I’ve thought the very same thing.
Firmware files are already signed, so does it matter that they are downloaded over an unsigned channel?
if you read article carefuly - you notice that Juniper - still investigated HOW this changes happens, but more likely someone used their infrastructure, groupware(most companies build something GIT or TFS, rermind, sfs -based) -v they used to build and distribute to tamper/malform firmware, than something happen on server-side delivery.
and answering you actual question - signatures matter if you had different, tamper-proof/secure communication channel, otherwise signed content aswell as source/service of signatures verification would and should be hijacked aswell.
as for MITM - traffic should be both encrypted AND signed with is NON of present 3rd-party CDN offer aswell as corporate-made/ih-house built solutions are. and even in such case - some space for exploitation, because “insecure by design” things reinforced by majority of implementations(chipher, hash, L2, L3 protocols, etc), which is despite sometimes sophistication and resources consumption - remain quite attractive option for attackers(criminals/government), because bright opportunities networking provide, exploited/controlled.