20.xx: postponse LuCI HTTPS per default
Alberto Bursi
bobafetthotmail at gmail.com
Fri Nov 20 11:14:44 EST 2020
On 20/11/20 16:52, W. Michael Petullo wrote:
> I think making use of self-signed certificates in production is a bad
> idea because (1) it reinforces poor practices, namely electing to trust
> a self-signed certificate and (2) it does not authenticate the
> server/router, a critical piece of the TLS security model.
maybe, but it's still better than sending all communication to the
management interface as plain text.
>
> My point of view is that we should delay HTTPS-by-default until we have
> a scheme for establishing the identity of the router. Until then, we
> should be honest and make use of HTTP.
>
nobody is working on that, and in most cases it's not really possible.
You always have a point where the user has to make the call of trusting
the device's ID or code or something.
-Alberto
More information about the openwrt-devel
mailing list