20.xx: postponse LuCI HTTPS per default

W. Michael Petullo mike at flyn.org
Fri Nov 20 10:52:07 EST 2020


I think making use of self-signed certificates in production is a bad
idea because (1) it reinforces poor practices, namely electing to trust
a self-signed certificate and (2) it does not authenticate the
server/router, a critical piece of the TLS security model.

My point of view is that we should delay HTTPS-by-default until we have
a scheme for establishing the identity of the router. Until then, we
should be honest and make use of HTTP.

-- 
Mike

:wq



More information about the openwrt-devel mailing list