20.xx: postponse LuCI HTTPS per default

Alberto Bursi bobafetthotmail at gmail.com
Fri Nov 20 11:14:44 EST 2020



On 20/11/20 16:52, W. Michael Petullo wrote:
> I think making use of self-signed certificates in production is a bad
> idea because (1) it reinforces poor practices, namely electing to trust
> a self-signed certificate and (2) it does not authenticate the
> server/router, a critical piece of the TLS security model.

maybe, but it's still better than sending all communication to the 
management interface as plain text.

> 
> My point of view is that we should delay HTTPS-by-default until we have
> a scheme for establishing the identity of the router. Until then, we
> should be honest and make use of HTTP.
> 

nobody is working on that, and in most cases it's not really possible. 
You always have a point where the user has to make the call of trusting 
the device's ID or code or something.

-Alberto



More information about the openwrt-devel mailing list