Ask Slashdot: Can Commercial Hardware Routers Be Trusted? 213
First time accepted submitter monkaru writes "Given reports that various vendors and encryption algorithms have been compromised. Is it still possible to trust any commercial hardware routers or is 'roll your own' the only reasonable path going forward?" What do you do nowadays, if anything, to maintain your online privacy upstream of your own computer?
Still have to rely on the NICs (Score:5, Insightful)
The Wrong Question (Score:5, Insightful)
Re:No. (Score:5, Insightful)
actually the obvious answer is that trust is not a binary thing.
Actually, the obvious answer is that you don't have a choice. No matter how much effort you put into it, you will always be depending on third party hard- or software that simply have to trust. So, you want to solder your own PCB? Sure, go ahead, but your Ralink SoC is still manufactured somewhere in China. Don't trust Cisco's IOS? Sure, write your own, and let me know how you designed and manufactured your own ASICs. And then we're not even discussing the fact that as soon as the packet leaves your router, it will enter one that you don't even own. Yes, there is a lot that you can do and I think the closest real answer to the poster's question is to just get an OpenWRT capable router and compile from scratch, but to not trust anyone is simply not an option.
Re:No. (Score:5, Insightful)
I was going to say that.
RSA compromised with money. Cisco compromised already documented. Juniper? I don't know but I wouldn't doubt it.
NSA, you've turned the world against the US and all its businesses. Happy yet?
Re:It can be a good thing too (Score:5, Insightful)
Like RSA or Microsoft?
Re:X-Files (Score:3, Insightful)
Trust No One!
And I should believe you why?
You're doing it wrong. (Score:3, Insightful)
If you're worried about a router and if you can trust it, you've already done it wrong.
Your data should have been encrypted before it let the original application if its something you care about.
It shouldn't MATTER if you can trust the router, if it does, you've already failed.
Comment removed (Score:4, Insightful)
Good question! (Score:2, Insightful)
Re:For VPNs, or for routing? (Score:5, Insightful)
I am pretty sure if they are interested enough they will get the data one way or another.
This...
Or has no one ever heard of rubber-hose cryptography?
If all else fails, they can break in at night and steal the information locally, or simply put a gun to your head.
When it comes to computer nerds, that last option probably has a 99.99% success rate.
Re:No. (Score:5, Insightful)
It has been demonstrated that the intelligence agencies (plural) in the US government is the tail that wags the dog. This is historically true and more than likely true today as well. When you've got the dirt on many people, how tempting would it be to leverage that into getting your way? It's a temptation many could not avoid exploiting.
Re:For VPNs, or for routing? (Score:4, Insightful)
As far as I'm concerned, a hardware router...
There is no such thing. A device that moves data from one location to another, using some policies to examine and transform it, is not just a "hardware" device. It's also software. And if it interfaces with software, then it can be compromised. Or haven't you noticed the news about D-Link routers? [slashdot.org] A lot of these routers have 2MB or less of flash, which makes it difficult to find a useful exploit, but "difficult" doesn't mean "impossible."
It's pretty unlikely that anyone will come up with a useful attack on a device that's just doing port blocking, NAT, and basic routing. At worst, somebody might DOS it or turn it into a well-connected zombie to aid in DDOSing somebody's server, but neither of those is compromising your data.
With just a little paranoia, I can imagine someone finding a way to get those routers to copy your traffic, or at least the headers, to some hostile entity. It doesn't take full knowledge of your traffic to destroy your privacy. [arstechnica.com]
A router is a type of computer. It's subject to all the same concerns about trustworthiness as any debate about proprietary and free software.
Re:No. (Score:4, Insightful)