also, right!attacker can perform MITM attack
If HTTPS/SSL is available, you don't have to be afraid of the man attack in the middle.Agree, example https://blocklister.gefoo.org/
Especially HTTP fetch can be problematic where attacker can perform MITM attack and modify response even if site is providing non malicious response.
Do not make unnecessary comments. Unfortunately, people like you have time to discuss empty things that are really problematic because of the pushes like you.Again...
viewtopic.php?t=152632#p1109095
HTTP != HTTPS - That's why I mentioned especially HTTP, if someone using http (unencrypted) protocol in fetch.If HTTPS/SSL is available, you don't have to be afraid of the man attack in the middle.Agree, example https://blocklister.gefoo.org/
Especially HTTP fetch can be problematic where attacker can perform MITM attack and modify response even if site is providing non malicious response.
Unless it's a reliable source, yes, you're right. It doesn't make sense to use it. Here it depends on how much you trust the source. In addition, instead of automation, it can be achieved manually by allocating labor, as you said. Not every convenience is always completely safe.@LAYERWEB - What rextended is suggesting is that you should avoid trusting or automatically downloading third-party ROS scripts. An untrusted source could include elements that compromise your router’s security. If you want to work with scripts, download only raw data and write your own script directly on your router or on a separate server. The use of HTTPS/SSL for the actual transfer does not change this risk.
If HTTPS/SSL is available, you don't have to be afraid of the man attack in the middle.
Obviously, it is obvious that you do not know how to distinguish a list of IPs from a list of commands, there is little to add.
Key word "environment", which makes company environments much more sensitive than home users environment. If somehow I find out that my ISP is using such way to update their router, from public source script without proper automated source checks / sanitization, I will be concerned and probably switch to another ISP, just saying, maybe it's just me...depends on the environment it's used and threat profile.
Yes, because most users can only copy & paste without knowing what they are doing, without distinguishing a list of commands from a list of IPs...I'm not sure the "CRITICAL" is necessary.
I see you get the point...If somehow I find out that my ISP is using such way to update their router, from public source script without proper automated source checks / sanitization, I will be concerned and probably switch to another ISP, just saying, maybe it's just me...
Well, this is pure fantasy, but if I *somehow* manage to find out what my ISP does (no matter what is actually done) it means that their security (be it the technical or "human" one) is a nice colander.Key word "environment", which makes company environments much more sensitive than home users environment. If somehow I find out that my ISP is using such way to update their router, from public source script without proper automated source checks / sanitization, I will be concerned and probably switch to another ISP, just saying, maybe it's just me...
If HTTPS/SSL is available, you don't have to be afraid of the man attack in the middle.
As I wrote in the other post:Obviously, it is obvious that you do not know how to distinguish a list of IPs from a list of commands, there is little to add.
Who guarantees that yourself on the github do not insert commands that create users and open backdoors in the router?
"Your" link does not just refer to a ready-made list of IPs, but creates an "import" where you can safely put any command you want to execute in the router, maybe it's a way to make money by selling machines on the darkweb.
If people "can check" it does not mean that they do not go and check when for others it is already too late.
If you can't see the security problem, it is certainly not my fault.
And let me be clear, I never talked about HTTP or HTTPS issues, it's the content that's the problem, not the means of transport.
However the suggested script does NOT install the proper SSL certificate and does NOT check HTTPS, so no matter what happens a MITM attack is still possible...
Depends where you live, in small communities, people with similar interest/occupation gathers and talk, you never know what you can find out...Well, this is pure fantasy, but if I *somehow* manage to find out what my ISP does (no matter what is actually done) it means that their security (be it the technical or "human" one) is a nice colander.
Well, in small communities you don't even need to share interests or occupation, if the boyfriend of the cousin of the friend of your brother-in-law likes a few pints of beer or some wine ...Depends where you live, in small communities, people with same interest/occupation gathers and talk, you never know what you can find out...
The issue is you suggest that anyone who builds an open source script/framework and publish them transparently on GitHub is an CRITICAL" ..."security issue".Who guarantees that yourself on the github do not insert commands that create users and open backdoors in the router?
Nobody knows everything, but staying within the RouterOS scripts, at most I'll teach you.(I hope you will improve your incomplete knowledge in practice.)
No, for two reasons, and also for others not listed,So you devalue the work that me, @eworm, @merlinthemagic, and MANY others to do publish their work on GitHub, […]
I am always open to new information, but due to your initial approach, I am closed to any information from you.Nobody knows everything, but staying within the RouterOS scripts, at most I'll teach you.
The world is not just this forum and I am newly registered in the forum, yes, but I do not have an anonymous account. To be long-term, you have to start somewhere.and the second, "the user who posts once and goes away" is certainly less reliable than someone who is always present on the forum...
Your loss and I guess some folks can't handle the truth. I find honest no BS answers refreshing and they are irrefutable when back up by technical acumen.I am always open to new information, but due to your initial approach, I am closed to any information from you.