20.xx: postponse LuCI HTTPS per default
Luiz Angelo Daros de Luca
luizluca at gmail.com
Fri Nov 20 12:25:10 EST 2020
Hi,
I guess we could simply ask the user by default (with options to auto
generate a certificate or ignore https). Luci already warns that a
root password must be set.
Why not also add something like: "Upgrade to a secure connection?".
"No password Set!
There is no ...
<Go to password configuration>...
"
"You are using an unencrypted connection!
Before informing sensitive information, like a password, it is
recommended to enable encryption (https)
<Setup a certificate and enable encryption>...
<Don't warn me again.> # it will require authentication if a
password is already set
"
If the user opts to use it, it could generate a self-signed
certificate and offer it to be downloaded/imported even before using
it.
http://192.168.1.1/luci/https-settings#generate-self-signed...
HTTP Settings:
#if "the certificate is not trusted by the browser. Can we test it using ajax?"
<Download current certificate>
Click here to download and import the router certificate now.
Otherwise, your browser will
warn you that the router certificate is not trusted. Then, you can
ignore the error and continue. However,
it would be safer to add the router to browser certificate
exceptions. You might need to do it again every time
the certificate is regenerated.
If the certificate warning page reappears again for the same router
at the same browser, it might not be automatically
trusted as it could be a malicious device impersonating your router
trying to steal your credentials.
#endif
[Generate a new self-signed certificate]
[Generate a new certificate request] / [Import the signed
certificate] # if a CSR was generated
[Generate a new Let's Encrypt certificate] # it would be a nice add-on
[Remove current certificate and disable encryption]
The next luci request will redirect the browser to https://
My 2 cents,
---
Luiz Angelo Daros de Luca
luizluca at gmail.com
More information about the openwrt-devel
mailing list