20.xx: postponse LuCI HTTPS per default

Fernando Frediani fhfrediani at gmail.com
Fri Nov 20 10:59:11 EST 2020


The only reason I see to have HTTPS and certificates in OpenWrt in my 
view is to give some layer of security for those accessing the router 
via Wifi or over the Internet for example.

And only admins, who have setup the router or work directly with it will 
access it (not normal users) so they know well what they are doing to 
not find a problem to have a self-signed certificate, or if it's the 
case they may deploy (optionally and later on) a Let's Encrypt 
certificatate which will be in even fewer cases.

Fernando

On 20/11/2020 12:52, W. Michael Petullo wrote:
> I think making use of self-signed certificates in production is a bad
> idea because (1) it reinforces poor practices, namely electing to trust
> a self-signed certificate and (2) it does not authenticate the
> server/router, a critical piece of the TLS security model.
>
> My point of view is that we should delay HTTPS-by-default until we have
> a scheme for establishing the identity of the router. Until then, we
> should be honest and make use of HTTP.
>



More information about the openwrt-devel mailing list