Ask Slashdot: Can Commercial Hardware Routers Be Trusted?

First time accepted submitter monkaru writes "Given reports that various vendors and encryption algorithms have been compromised. Is it still possible to trust any commercial hardware routers or is 'roll your own' the only reasonable path going forward?" What do you do nowadays, if anything, to maintain your online privacy upstream of your own computer?

For VPNs, or for routing?

[dgatwood]

The answer depends on what you mean. As far as I'm concerned, a hardware router can probably be trusted to be a basic firewall/router. It's pretty unlikely that anyone will come up with a useful attack on a device that's just doing port blocking, NAT, and basic routing. At worst, somebody might DOS it or turn it into a well-connected zombie to aid in DDOSing somebody's server, but neither of those is compromising your data.

Now if you're passing unencrypted data across that router, you might have a problem, but then again, passing unencrypted data across any router outside your own intranet is a bad idea, so nothing new there. And if you're expecting the commercial router to provide a VPN, then the answer to whether it is trustworthy becomes "no", because its crypto implementation cannot readily be audited and verified to be trustworthy.

routerpwn

[Anonymous Coward]

http://www.routerpwn.com/ [routerpwn.com]

Re:No.

[D-Fly]

Public key cryptography using open source tools that have been tested and retested by lots of other coders still works pretty well. The RSA backdoor you are referring to is certainly discouraging news. But on the other hand, the fact that RSA had backdoored itself was sort of understood by the community at large as far back as 2006, shortly after they issued the compromised tool. This week's news is merely confirmation. That's why PGP and its ilk, open source and made by activists, might be a better option than commercial tools by companies with a strict profit motive.

If you are really concerned about security, you might very well want to roll your own machine, and certainly should run a fresh, clean linux install off a CD every time you start up, to reduce the chances your machine is compromised.

Re:No.

[Jane Q. Public]

" But on the other hand, the fact that RSA had backdoored itself was sort of understood by the community at large as far back as 2006, shortly after they issued the compromised tool."

"Backdoored itself" is a singularly apt way to put it. But apparently they were engaged in trying to "backdoor" other people, too, which is not a victimless crime.

Personally, after their "SecureID" debacle and now this, I'm not inclined to "trust" RSA at all. Fool me once, and all that.

And the same can be said about DropBox. They promised end-to-end encryption, but instead they were "de-duping" files to save storage, which means that entirely contrary to what they told their customers, they actually had direct access to your raw files. Sure, they fixed that (so they say), and said "Sorry, we won't do it again." But how much can you trust them, considering that they blatantly lied to you before?

Re:No.

[Anonymous Coward]

Firmware attacks can be sophisticated indeed: http://spritesmods.com/?art=hddhack&page=1 [spritesmods.com]