Lets do a fist short test of gl-inet Firmware 3.2, shortest of snapshot version:
Changings of different versions: unknown place
Thats what I have seen on version 2021-02-01:
- The local update by downloaded file is possible.
- The old released version of 3.105 show only outdated MD5 check on web interface for local firmware update. The 3.2 snapshot firmware show now a SHA256 check for installing firmware. Thats great.
- On wifi are menu item available now for WPA2/WPA3 mixed mode and WPA3 only mode. Thats sounds great.
- DNS over TLS like Cloudflare is available.
- IPV6 can disabled on easy menu.
- The admin menu and the advanced admin menu use the same password. Thats working after changing the password too.
- Open VPN working fine. Uninstall the non Open VPN one are possible to if requested.
Ideas for possible improvements:
The system don’t ask by first logon or on first popup window or on easy to use gui on wifi section. The country selection is still a little bit hidden for a lot of user… That can be a problem with local law, the certification like CE and the speed and connection for the user. In the current case, the router will use without country configuration in some countrys around the world not all channels which allowed in the country, can be use wrong power on some channels and dont get connection depend on the static preconfigured cannel 6, which don’t make sense in some country like EU, JP and can be some more.
By first configuration of 3.2. snapshot software are only accepted short passwords like p.e. 6 character. Long one like p.e 64 character can be set by first configuration too, a its not possible to logon by this after reboot. So its need to reset the router. Set a insecure short password, logoff, logon and set a longer one. I remember the same gl firmware bug like this one or two years ago …
Logging in the advanced admin menu, show some big red error message about “Syntax Errors”.
The right German translation for the English menu item “WIRELESS” is “DRAHTLOS” and not “KABELLOS”. See old bug report on this …
Replace the non secured NTP by a secured one like NTS. Its offered by p.e. Cloudflare and RFC. See old suggest on this …
It can be the “Update Button” in Plug-ins" menu don’t update the available plugins. It can be, on this time shown only already installed and used plugins. On this time I see about 286 or so on Plug-ins. If I remember right, the count of available was much higher on older released gl firmware versions.
By gl firmware used web server lighttpd 1.4.48 is outdated since more than 3 years. The actual version from 2021-02 is 1.4.59
The List of available UTC times are still not alphabetical like on older firmware versions. See older reports for this …
Add a check for wrong passwords on follow way: Add a wait time after 1st wrong password of 1 second, after every next wrong password input, double the time. See for this old suggestion post …
Changing the default value from NTP config, which tell by every NTP request to the requested NTP server the by router used OS, to one which don’t tell the by router used OS can improve the security a little bit for free.
Add a self exploring description about the security level of different wifi modes, like this one which are available on advanced admin of gl firmware and come from from original open wrt firmware. It can be, the user of simple admin menu will need this hints more than the advanced user of advanced admin menu.
add a file proxy on router, for reduce the traffic
- NEED TO CHANGE THE DEFAULT VALUE FOR SSH ACCESS !!!
From point of view of the ssh drope down menue, are the ssh configured to be available on all Connection, like WAN, WLAN and LAN. At minimum the WAN access should be diabled by default. The best will be to disable ssh for all connections by default.
- https login for router
- http to https redirect for build in webserver
- Secure the webinterface login page by follow: Add on logon screen a wait time of 1 second after 1`st wrong password input. Double the wait time so long after every wrong password input up to the right one password are given. After getting the right password or after a reboot, start by a wait time of 0 second. And so on…
Not checked. :
- Does a password used for ssh ? I remember a old firmware bug without a password was set …
- some points from deleted bug tracker
- some points from shortest of 3.103, 3.104 and 3.105 firmware test…
- external code review of closed source part (see deleted bugtracker)
Possible Potential for hardware improvements:
Possible Potential of transparency of firmware developement:
- It may be that the new quality of transparency in firmware development introduced in firmware development firmware 3.105 is still pending for the current firmware. See follow: Firmware 3.105 Snapshot Update