20.xx: postponse LuCI HTTPS per default
Fernando Frediani
fhfrediani at gmail.com
Fri Nov 20 10:59:11 EST 2020
The only reason I see to have HTTPS and certificates in OpenWrt in my
view is to give some layer of security for those accessing the router
via Wifi or over the Internet for example.
And only admins, who have setup the router or work directly with it will
access it (not normal users) so they know well what they are doing to
not find a problem to have a self-signed certificate, or if it's the
case they may deploy (optionally and later on) a Let's Encrypt
certificatate which will be in even fewer cases.
Fernando
On 20/11/2020 12:52, W. Michael Petullo wrote:
> I think making use of self-signed certificates in production is a bad
> idea because (1) it reinforces poor practices, namely electing to trust
> a self-signed certificate and (2) it does not authenticate the
> server/router, a critical piece of the TLS security model.
>
> My point of view is that we should delay HTTPS-by-default until we have
> a scheme for establishing the identity of the router. Until then, we
> should be honest and make use of HTTP.
>
More information about the openwrt-devel
mailing list