We are reading more and more how "big players" have problems with security of OS on their routes and switches.
What is Mikrotik doing to minimize that possibility? Doing any Audit or External Review of RouterOS?
It would be good to know to get higher trust and better selling point. Thanks.
Re: RouterOS Audit
We have not ordered any such test ourselves, but anybody is welcome to try and find potential issues. We don't have any backdoors, so you should not worry about those being found 
Re: RouterOS Audit
That kind of claim could backfire on you... maybe not wise to make it.We don't have any backdoors, so you should not worry about those being found
Even when you have not added any backdoors yourself and you are confident that none of your (ex-)employees
have done so, there might be backdoors in the software that you use unmodified.
Remember, the days of easy to locate backdoors (simple if statements that check some condition and bypass
security mechanisms, or default user/password entries that do not show up in the UI) are mostly gone.
Today there are backdoors that you won't find when casually browsing the sourcecode, but only when carefully
examining the workings of the protocols and how the code operates on them.
Remember the Heartbleed SSL bug. It was probably inserted as a backdoor, yet it was not easily identifiable
as such.
Re: RouterOS Audit
It was part of a dissertation about a heartbeat extension for OpenSSL. There's even an RFC about it: https://tools.ietf.org/html/rfc6520Remember the Heartbleed SSL bug. It was probably inserted as a backdoor, yet it was not easily identifiable as such.
The bug is well understood and certainly was just a mistake.
But it proofs that audits are necessary even if you don't want to harm anybody because, well, bugs happen everywhere.
Re: RouterOS Audit
What I wanted to point out is that when you want to introduce a backdoor, you don't need to have visible
code like "if username equal to backdoor then let user in with no password". No, you can have a student write
an RFC that says "This document does not introduce any new security considerations.", yet introduces a feature
that, when implemented (by the same person) introduces the worst security incident of recent past.
You can never be sure if this was just an unwanted bug, or if this was done on request of a secret service
who now quickly deny it.
So, MikroTik can never be sure that "We don't have any backdoors" when they use Open Source code that
probably includes (or included) OpenSSL and similar libraries and programs.
code like "if username equal to backdoor then let user in with no password". No, you can have a student write
an RFC that says "This document does not introduce any new security considerations.", yet introduces a feature
that, when implemented (by the same person) introduces the worst security incident of recent past.
You can never be sure if this was just an unwanted bug, or if this was done on request of a secret service
who now quickly deny it.
So, MikroTik can never be sure that "We don't have any backdoors" when they use Open Source code that
probably includes (or included) OpenSSL and similar libraries and programs.
Who is online
Users browsing this forum: Bing [Bot], Marc1963 and 49 guests