20.xx: postponse LuCI HTTPS per default

Alberto Bursi bobafetthotmail at gmail.com
Fri Nov 20 09:46:31 EST 2020 


On 20/11/20 14:22, Fernando Frediani wrote:
> I don't see having HTTPS by default in LuCI as something good or even 
> necessary ? It's actually an unnecessary complication that could always 
> be optional.
> 
> One of the main reasons is that in many and probably most cases of a new 
> deployed OpenWrt router there is still no Internet connection available. 
> Also it doesn't seem to be that people need it since access by default 
> is only done via the LAN interfaces.

Not using SSL means anyone in the LAN can snoop the password to access 
the router.

While this is a non-issue for most home wired networks, it is for wifi 
and most people will use wifi on their router.

WPA2 is not going anywhere for a long while still and it is susceptible 
to deauth attacks. After the attacker has captured enough handshakes 
after the deauth they will know the wifi password. It just takes a while 
but there are plenty of automated tools to do that 24/7 like Pawnagotchi 
(a raspberry zero running a dedicated application) or wifi pineapples or 
whatever.

Using SSL for web interface means the system is at least 
compartimentalized so in case someone breaks into the wifi/LAN they 
won't also take over the router as well.

> If someone for some reason wishes 
> for example to expose the LuCI web interface to the internet than fine 
> to have it running on HTTPS and that can be enabled by those who wish to 
> operate in such way. As this example there are certainly others that 
> justify to have a HTTPS but I don't they they are most.
> 
> The same way I see as interesting to have an automated way to generate 
> SSL Certificates (ex: via Let's Encrypt), but again, that should be 
> optional to only those who wish to use HTTPS for their specific needs.
> 
> Fernando
> 
> On 20/11/2020 06:44, Karl Palsson wrote:
>> "Paul Spooren" <mail at aparcar.org> wrote:
>>> Hi,
>>>
>>> The current list of release goals for 20.xx states[0] that LuCI
>>> should use HTTPS per default. This works by creating on-device
>>> a self-signed certificate. Self-signed certificates result in
>>> warnings and may cause more harm than good, multiple discussion
>>> are found in the mail archive.
>>>
>>> As no clean solution seems in reach while 20.xx seems close,
>>> I'd like to suggest to postponse HTTPS LuCI (`luci-ssl` vs
>>> `luci`) per default.
>>>
>>> This isn't a vote but a request for developer/user opinions.
>> Very much in favour of leaving this off, self-signed isn't viable
>> by default
>>
>> Sincerely,
>> Karl Palsson
>>
>> _______________________________________________
>> openwrt-devel mailing list
>> openwrt-devel at lists.openwrt.org
>> https://lists.openwrt.org/mailman/listinfo/openwrt-devel
> 
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel

More information about the openwrt-devel mailing list