Community discussions

MikroTik App
 
R1CH
Forum Veteran
Forum Veteran
Topic Author
Posts: 928
Joined: Sun Oct 01, 2006 11:44 pm

Please add HTTPS support on mikrotik.com

Mon Mar 14, 2016 3:31 pm

Hello,
I've noticed during my browsing that there is no HTTPS deployed on the site.

The main mikrotik.com site is particularly vulnerable since it hosts downloadable .exe files (winbox, netinstall, etc) which are not digitally signed, allowing a MITM to deploy trojans / malware.

The upgrade feature in winbox makes insecure requests to upgrade.mikrotik.com, allowing a MITM to push fake updates onto administrators.

Given the availability of free certificates from Let's Encrypt, there is no barrier to deploying SSL / TLS any more. Could you look into supporting HTTPS across the domain? Thanks.
 
jarda
Forum Guru
Forum Guru
Posts: 7603
Joined: Mon Oct 22, 2012 4:46 pm

Mon Mar 14, 2016 4:44 pm

I think that certificate is not a matter of price for mikrotik.
 
R1CH
Forum Veteran
Forum Veteran
Topic Author
Posts: 928
Joined: Sun Oct 01, 2006 11:44 pm

Re: Please add HTTPS support on mikrotik.com

Mon Mar 14, 2016 4:49 pm

I know, I'm just pointing out that HTTPS is easy and free these days, to the point where some webservers even have it built in with ACME.
 
nxs02
Member Candidate
Member Candidate
Posts: 119
Joined: Sat Nov 07, 2015 1:25 pm
Location: Planet Earth

Re: Please add HTTPS support on mikrotik.com

Mon Mar 14, 2016 8:37 pm

agree with this... 8)
 
vortex
Forum Guru
Forum Guru
Posts: 1097
Joined: Sat Feb 16, 2013 6:10 pm

Re: Please add HTTPS support on mikrotik.com

Mon Mar 14, 2016 9:09 pm

I can tell you that there are several companies that have lost my business because their sites are not full HTTPS.
 
mpreissner
Member
Member
Posts: 356
Joined: Tue Mar 11, 2014 11:16 pm
Location: Columbia, MD

Re: Please add HTTPS support on mikrotik.com

Tue Mar 15, 2016 1:49 pm

Just because they're not supporting encrypted connections doesn't mean there's no security or compensating controls. Think about it...you're not downloading any sensitive information, so there's really no reason to encrypt it. MikroTik does provide a hash sum for the downloads, so you can verify the integrity of whatever you download. You're right that it's easy to set up an HTTPS site, and it's free/not expensive to get a valid certificate, but why go through the effort when there's no sensitive data being transmitted, and there's a method in place to validate the integrity of the files? If you're not transmitting personal, financial, or otherwise sensitive info, it's just unnecessary.
Michael Preissner
CISSP, CCSP, CEH, PMP
 
vortex
Forum Guru
Forum Guru
Posts: 1097
Joined: Sat Feb 16, 2013 6:10 pm

Re: Please add HTTPS support on mikrotik.com

Tue Mar 15, 2016 2:29 pm

How do you know the MD5 is real if the page is not HTTPS ?
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Please add HTTPS support on mikrotik.com

Tue Mar 15, 2016 3:47 pm

Just because they're not supporting encrypted connections doesn't mean there's no security or compensating controls. Think about it...you're not downloading any sensitive information, so there's really no reason to encrypt it. MikroTik does provide a hash sum for the downloads, so you can verify the integrity of whatever you download. You're right that it's easy to set up an HTTPS site, and it's free/not expensive to get a valid certificate, but why go through the effort when there's no sensitive data being transmitted, and there's a method in place to validate the integrity of the files? If you're not transmitting personal, financial, or otherwise sensitive info, it's just unnecessary.
But this IS sensitive data - it's the very operating system of a networking device! If someone were to MitM your connection to the Mikrotik site, and provide a malicious version of RoS, you'd never know. They would be able to back-door your network, or monitor for cleartext pii, credit card numbers, passwords, email addresses, etc.

Without SSL (or some other form of cryptographic identity verification system) then you cannot be certain that a remote host is actually the host you intended to communicate with. This renders the MD5 checksum useless as a means of verifying your download. It is trivial for the MitM attacker to generate their own valid MD5 hash of the compromised image as well. Since there's no way to know that the checksum came from a trustworthy source, the MD5's not worth the paper it's printed on, so to speak (at least as far as verifying security is concerned).
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
vortex
Forum Guru
Forum Guru
Posts: 1097
Joined: Sat Feb 16, 2013 6:10 pm

Re: Please add HTTPS support on mikrotik.com

Tue Mar 15, 2016 4:56 pm

I think I just saw the worst example, which is a mess of HTTPS-lessness, dubious domain redirections, USA toll free numbers and so on.
 
mpreissner
Member
Member
Posts: 356
Joined: Tue Mar 11, 2014 11:16 pm
Location: Columbia, MD

Re: Please add HTTPS support on mikrotik.com

Tue Mar 15, 2016 6:33 pm


But this IS sensitive data - it's the very operating system of a networking device! If someone were to MitM your connection to the Mikrotik site, and provide a malicious version of RoS, you'd never know. They would be able to back-door your network, or monitor for cleartext pii, credit card numbers, passwords, email addresses, etc.

Without SSL (or some other form of cryptographic identity verification system) then you cannot be certain that a remote host is actually the host you intended to communicate with. This renders the MD5 checksum useless as a means of verifying your download. It is trivial for the MitM attacker to generate their own valid MD5 hash of the compromised image as well. Since there's no way to know that the checksum came from a trustworthy source, the MD5's not worth the paper it's printed on, so to speak (at least as far as verifying security is concerned).
Yes and no. You're right that someone could MitM the connection, provide a fraudulent MD5 sum, and get away with it. You're wrong that there's no way to verify the source. MT could implement DNSSEC (or have their DNS providers implement it - not currently implemented according to my tests) to sign their domain. This would provide validation of the authenticity of the source. As you could then trust that you were communicating with the proper website, this would also provide a level of trustworthiness regarding the MD5 hashes.

It would be a best practice to just go ahead and use TLS to protect client connections...it would solve a lot of security related issues with minimal effort, but as with most things, there's more than one way to skin a cat.
Michael Preissner
CISSP, CCSP, CEH, PMP
 
Sob
Forum Guru
Forum Guru
Posts: 5716
Joined: Mon Apr 20, 2009 9:11 pm

Re: Please add HTTPS support on mikrotik.com

Tue Mar 15, 2016 6:50 pm

DNSSEC only makes sure that hostname resolves to right address (if the proper validation is done), so it's not possible to redirect client to some completely different server using DNS. But MITM does not need that, attacker is already in the middle, on the wire, he can see and alter anything non-encrypted.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
mpreissner
Member
Member
Posts: 356
Joined: Tue Mar 11, 2014 11:16 pm
Location: Columbia, MD

Re: Please add HTTPS support on mikrotik.com

Tue Mar 15, 2016 7:17 pm

There are multiple types of MitM attacks. DNSSEC does provide MitM protections for cases of DNS spoofing/session redirection, but not for other types of MitM like browser hijacking. All of your speculation about the security of MT's site is based on specific scenarios you have engineered in your mind. Not all possible scenarios will occur the way you are thinking. You shouldn't take absolutist views on a subject that has so many permutations that it's impossible to address each one.

Understand, I'm not saying MT shouldn't beef up their security...at the very least, they should run their downloads over TLS (preferably v1.2 or better), but there's not need to secure their entire site with SSL/TLS. It would be smart for them to have their domain signed for DNSSEC, as this would provide complementary security versus SSL/TLS alone.

Then again, if any of us REALLY had a problem with the fact that MT isn't doing this already, none of us would be on this forum, or purchasing their equipment, etc. So if you're an active MT product/forum user, remember it's YOUR CHOICE to use these products and this website. Your continued use of their products says that despite any whining you do here about the security of their site, it's just not important enough to you to make you switch to a different company's products.
Michael Preissner
CISSP, CCSP, CEH, PMP
 
vortex
Forum Guru
Forum Guru
Posts: 1097
Joined: Sat Feb 16, 2013 6:10 pm

Re: Please add HTTPS support on mikrotik.com

Tue Mar 15, 2016 7:29 pm

I think it is very common to buy from a company the first time, only to discover later that the support/update/removal process is not secure.
 
mpreissner
Member
Member
Posts: 356
Joined: Tue Mar 11, 2014 11:16 pm
Location: Columbia, MD

Re: Please add HTTPS support on mikrotik.com

Tue Mar 15, 2016 7:40 pm

Of course...we've all been there. But if it was that important of an issue, we'd have already taken our business elsewhere by now. Ask yourself this...if R1CH hadn't made a posting about the lack of HTTPS support, would you have made this comment...?
I can tell you that there are several companies that have lost my business because their sites are not full HTTPS.
And the idea that you'd steer your business elsewhere because the WHOLE site wasn't HTTPS is a little ridiculous. There's no need for HTTPS on portions of websites that don't serve sensitive data. Many websites simply implement HTTPS on everything because it's easier and gives their customers peace of mind, but the only place it would really be required is on the downloads to ensure the integrity of the files. Even there, it wouldn't be necessary if all the files were digitally signed. Their authenticity and integrity could be validated without the need for encryption on the file transfer.

I think we're all getting pulled onto the bandwagon because one person wasn't happy about the lack of HTTPS support. Not that they're wrong, MT should do better, but I think this is getting overblown a bit.
Michael Preissner
CISSP, CCSP, CEH, PMP
 
vortex
Forum Guru
Forum Guru
Posts: 1097
Joined: Sat Feb 16, 2013 6:10 pm

Re: Please add HTTPS support on mikrotik.com

Tue Mar 15, 2016 7:51 pm

What I mean by "full HTTPS" is that a certain process was not fully secure, not that the whole thing needs HTTPS.

But it better have HTTPS for things like downloading PDFs.
 
R1CH
Forum Veteran
Forum Veteran
Topic Author
Posts: 928
Joined: Sun Oct 01, 2006 11:44 pm

Re: Please add HTTPS support on mikrotik.com

Wed Mar 16, 2016 12:44 am

Of course...we've all been there. But if it was that important of an issue, we'd have already taken our business elsewhere by now. Ask yourself this...if R1CH hadn't made a posting about the lack of HTTPS support, would you have made this comment...?
I can tell you that there are several companies that have lost my business because their sites are not full HTTPS.
And the idea that you'd steer your business elsewhere because the WHOLE site wasn't HTTPS is a little ridiculous. There's no need for HTTPS on portions of websites that don't serve sensitive data.
All it takes is one unencrypted page and someone can MITM and rewrite all the https link to http and break https for the rest of your session. It really does need to be all or nothing.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Please add HTTPS support on mikrotik.com

Wed Mar 16, 2016 3:27 am

They could make a sandbox with hijacked SSL links but they couldn't put the Mikrotik cert on their SSL sandbox. (You do look at the cert when you visit your financial websites, I hope)

Any site that hosts a malicious web page is in danger of having its certificate revoked so I would think that a redirected SSL site wouldn't have a valid cert - at least not for long, but one really should glance at the certificate info when visiting secure sites anyway...

My only point is that software is definitely something that is important to verify.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24666
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Please add HTTPS support on mikrotik.com

Wed Mar 16, 2016 9:00 am

Just to point it out, the RouterOS files are all signed and you can't make your own packages, or replace them with fake ones. They would simply not be accepted in the software.
No answer to your question? How to write posts
 
mpreissner
Member
Member
Posts: 356
Joined: Tue Mar 11, 2014 11:16 pm
Location: Columbia, MD

Re: Please add HTTPS support on mikrotik.com

Wed Mar 16, 2016 1:45 pm

Good to know. Knowing that your products validate the signature before installing updates should be a great relief to those who were worries about ROS getting hijacked. Unless your code-signing private key gets compromised, we don't need to worry about hacked versions of ROS making their way onto our equipment.
Michael Preissner
CISSP, CCSP, CEH, PMP
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24666
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Please add HTTPS support on mikrotik.com

Wed Mar 16, 2016 2:14 pm

Good to know. Knowing that your products validate the signature before installing updates should be a great relief to those who were worries about ROS getting hijacked. Unless your code-signing private key gets compromised, we don't need to worry about hacked versions of ROS making their way onto our equipment.
Yes. This has always been so. No need to worry.
No answer to your question? How to write posts
 
R1CH
Forum Veteran
Forum Veteran
Topic Author
Posts: 928
Joined: Sun Oct 01, 2006 11:44 pm

Re: Please add HTTPS support on mikrotik.com

Wed Mar 16, 2016 3:37 pm

It's good that the packages are signed, but things like winbox (and its update process), netinstall and other downloadable executables are still wide open to MITM attack, also the forums (usernames, passwords, emails) and wiki (MITM someone and give them dangerous commands to run :D)
 
jarda
Forum Guru
Forum Guru
Posts: 7603
Joined: Mon Oct 22, 2012 4:46 pm

Re: Please add HTTPS support on mikrotik.com

Wed Mar 16, 2016 4:23 pm

Just to point it out, the RouterOS files are all signed and you can't make your own packages, or replace them with fake ones. They would simply not be accepted in the software.
This applies to the situation when a package is installed into already running ros. Not when installing via pxe/netinstall.
 
vortex
Forum Guru
Forum Guru
Posts: 1097
Joined: Sat Feb 16, 2013 6:10 pm

Re: Please add HTTPS support on mikrotik.com

Wed Mar 16, 2016 5:21 pm

Remember also that Google boosts your ranking if the site uses HTTPS.
 
vortex
Forum Guru
Forum Guru
Posts: 1097
Joined: Sat Feb 16, 2013 6:10 pm

Re: Please add HTTPS support on mikrotik.com

Wed Mar 16, 2016 8:09 pm

I guess it is a motherboard selection criterion too.
 
rtlx
just joined
Posts: 11
Joined: Wed Apr 16, 2014 2:18 am

Re: Please add HTTPS support on mikrotik.com

Thu Mar 24, 2016 11:30 pm

Posts related to signing Winbox:
http://forum.mikrotik.com/viewtopic.php ... 97#p477897
http://forum.mikrotik.com/viewtopic.php ... 88#p527088

This is really simple and cheap process. Only be sure to select trusted CA, for example VeriSign, DigiTrust, GlobalSign, Unizeto.


About HTTPS: be aware that users are sending their credentials and private messages via forum.
Do you really think that securing such data is not neccessary?


I have mixed feelings about developers knowledge of todays cryptography recommendations.
RouterOS is using by default 1024 bit RSA key - which was (officialy) considered legacy way back in 2013: page 35 of https://www.enisa.europa.eu/activities/ ... fullReport

Today, after setting /ip ssh set strong-crypto=yes, the 2048 bit key is used - which was also not cosidered secure in 2013 (same document and same page says about minimum size of 3072 bits). So the default key lenght should be 3072 bit and after setting /ip ssh set strong-crypto=yes it should be at least 4096 bits long.

It's sad that in todays world such important things are left behind...
Last edited by rtlx on Fri Mar 25, 2016 12:11 am, edited 3 times in total.
 
vortex
Forum Guru
Forum Guru
Posts: 1097
Joined: Sat Feb 16, 2013 6:10 pm

Re: Please add HTTPS support on mikrotik.com

Fri Mar 25, 2016 12:03 am

I have seen bigger companies with such weakness.

I wonder if it has to do with making their sites accessible in certain countries.

In that case, they need country-specific sites for those then.
 
rtlx
just joined
Posts: 11
Joined: Wed Apr 16, 2014 2:18 am

Re: Please add HTTPS support on mikrotik.com

Fri Mar 25, 2016 12:06 am

I have seen bigger companies with such weakness.
I too, but it is not an excuse - not a little bit.
 
R1CH
Forum Veteran
Forum Veteran
Topic Author
Posts: 928
Joined: Sun Oct 01, 2006 11:44 pm

Re: Please add HTTPS support on mikrotik.com

Tue May 03, 2016 2:01 pm

Any official response on this? I'd be happy to offer my services if you need someone to help set this up!
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24666
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Please add HTTPS support on mikrotik.com

Tue May 03, 2016 2:09 pm

Any official response on this? I'd be happy to offer my services if you need someone to help set this up!
We need to change www.mikrotik.com certificate to a wildcard certificate, we are working on that
No answer to your question? How to write posts
 
User avatar
favincen
just joined
Posts: 21
Joined: Mon Jun 08, 2015 1:56 pm
Location: Grenoble, France

Please increase RSA key length

Tue May 03, 2016 2:44 pm

I have mixed feelings about developers knowledge of todays cryptography recommendations.
RouterOS is using by default 1024 bit RSA key - which was (officialy) considered legacy way back in 2013: page 35 of https://www.enisa.europa.eu/activities/ ... fullReport

Today, after setting /ip ssh set strong-crypto=yes, the 2048 bit key is used - which was also not cosidered secure in 2013 (same document and same page says about minimum size of 3072 bits). So the default key lenght should be 3072 bit and after setting /ip ssh set strong-crypto=yes it should be at least 4096 bits long.

It's sad that in todays world such important things are left behind...
Indeed ! Interesting, but scary... :-x
Would love to get an answer from Mikrotik on that topic...

BTW, RSA ssh keys were only implemented less than a year ago (in rOS 6.31).
Before that, only DSA keys were supported, even-though they were considered unsecured (see for example https://security.stackexchange.com/ques ... ation-keys )...
If you consider this post useful, you can tell by rating it positively... Thanks ! 8)
 
R1CH
Forum Veteran
Forum Veteran
Topic Author
Posts: 928
Joined: Sun Oct 01, 2006 11:44 pm

Re: Please add HTTPS support on mikrotik.com

Tue May 03, 2016 5:07 pm

Any official response on this? I'd be happy to offer my services if you need someone to help set this up!
We need to change http://www.mikrotik.com certificate to a wildcard certificate, we are working on that
Good to hear. Thanks for the response!
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24666
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Please add HTTPS support on mikrotik.com

Tue May 10, 2016 10:00 am

Just wanted to clarify that our RSA has always been 2048, not 1024. Strong crypto setting doesn't set different length, it only affects which hashes are used:

[admin@MikroTik] /ip ssh> set  
Change properties of one or several items.

always-allow-password-login -- allow password login when public key authorization is configured
forwarding-enabled -- allows clients to connect to remote ports from server
strong-crypto -- use stronger encryption, HMAC algorithms, use bigger DH primes and disallow weaker ones

But in future versions we will have a new setting, where you will be able to make custom keys with any length.
No answer to your question? How to write posts
 
R1CH
Forum Veteran
Forum Veteran
Topic Author
Posts: 928
Joined: Sun Oct 01, 2006 11:44 pm

Re: Please add HTTPS support on mikrotik.com

Sun Feb 26, 2017 6:55 pm

Happy to see the website and forums now have HTTPS. Nice job!
 
esaym
just joined
Posts: 8
Joined: Thu Feb 23, 2017 5:44 am

Re: Please add HTTPS support on mikrotik.com

Mon Feb 27, 2017 12:10 am

Just to point it out, the RouterOS files are all signed and you can't make your own packages, or replace them with fake ones. They would simply not be accepted in the software.
This.

People do the same thing on the Debian mailing lists every few months, whine about the fact that the debian repos are only http. Yet all the packages and contents are signed and hashed. You can't just simply MITM a package with unsigned content and not have alot of bells and whistles go off...

But anyway, thank you for actually signing your software/firmwares :)
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24666
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Please add HTTPS support on mikrotik.com

Mon Feb 27, 2017 10:50 am

We have added sha256 to RouterOS download checksum file (see download page) and also, all the downloads are now also https
No answer to your question? How to write posts
 
R1CH
Forum Veteran
Forum Veteran
Topic Author
Posts: 928
Joined: Sun Oct 01, 2006 11:44 pm

Re: Please add HTTPS support on mikrotik.com

Tue Feb 28, 2017 2:34 pm

The upgrade.mikrotik.com server still uses insecure HTTP downloads for winbox, this is very dangerous as the .exe is automatically executed after download!
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24666
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Please add HTTPS support on mikrotik.com

Tue Feb 28, 2017 2:36 pm

No answer to your question? How to write posts
 
msatter
Forum Guru
Forum Guru
Posts: 1765
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Please add HTTPS support on mikrotik.com

Tue Feb 28, 2017 2:44 pm

The upgrade.mikrotik.com server still uses insecure HTTP downloads for winbox, this is very dangerous as the .exe is automatically executed after download!
I urgently advise you change your browser setting to not execute/open any files automatically....not from any site.
One RB4011 (cooled) and a RB760iGS (hEX S) in series. The 4011 Does PPPoE/IKEv2.
The cooler: viewtopic.php?f=3&t=138613&start=300#p799879
Running:
RouterOS 6.47.1 / Winbox 3.24 / MikroTik APP 1.3.14
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24666
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Please add HTTPS support on mikrotik.com

Tue Feb 28, 2017 2:44 pm

The upgrade.mikrotik.com server still uses insecure HTTP downloads for winbox, this is very dangerous as the .exe is automatically executed after download!
I urgently advise you change your browser setting to not execute/open any files automatically....not from any site.
He is talking about Winbox built-in self upgrade feature.
No answer to your question? How to write posts
 
msatter
Forum Guru
Forum Guru
Posts: 1765
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Please add HTTPS support on mikrotik.com

Tue Feb 28, 2017 2:53 pm

The upgrade.mikrotik.com server still uses insecure HTTP downloads for winbox, this is very dangerous as the .exe is automatically executed after download!
I urgently advise you change your browser setting to not execute/open any files automatically....not from any site.
He is talking about Winbox built-in self upgrade feature.
I did not discovered the self upgrade feature yet and I will try it when I am home. I always download it manually and replace the old Winbox with the new one.

If it is done internally in Winbox is there the same protection as used in RouterOS? See: viewtopic.php?f=2&t=105802#p527337

Update: found it in the connection screen when you go into Winbox. Never noticed it and it good to see the update made since the previous version of Winbox.
One RB4011 (cooled) and a RB760iGS (hEX S) in series. The 4011 Does PPPoE/IKEv2.
The cooler: viewtopic.php?f=3&t=138613&start=300#p799879
Running:
RouterOS 6.47.1 / Winbox 3.24 / MikroTik APP 1.3.14

Who is online

Users browsing this forum: kiler129 and 64 guests