A proposal of https certificate assignment system for luci

Alberto Bursi bobafetthotmail at gmail.com
Tue Oct 6 13:20:26 EDT 2020 


On 05/10/20 18:38, Michael Richardson wrote:
> 
> Fernando Frediani <fhfrediani at gmail.com> wrote:
>      > I am not sure click though certificate warning is that much of a
>      > security issue in this context neither OpenWrt should have certificates
>      > issued by default if I understood it correctly.
> 
>      > Most people accessing OpenWrt LuCI interface knows what it is and would
>      > not find it strange to have to accept a self-signed certificate.  Also
>      > OpenWrt devices mostly are accessible from internal and restricted
>      > networks and not exposed to the Internet. Still if necessary it is
>      > still possible to add its own valid certificate to it on those cases
>      > where necessary.
> 
> So, let me invert your logic to explain the issue.
> 
> Because of the lack of certificates, and the hassle with click-through issues
> with self-signed certificates, access to the OpenWRT LuCI interfaces are
> restricted to people who know what it is.  Only highly trained people know
> how to accept a self-signed certificate.


I think calling "highly trained people" someone that knows how to click 
on two buttons on a web browser interface is a bit too much.

Just add screenshots in the first install tutorial and/or something to 
the documentation that explains how to do that in case someone really is 
very new and has never needed to accept a self-signed certificate.


> 
> As a result, most devices are accessibly only from internal networks, and
> usually never exposed to the Internet.  Default passwords remain unchanged,
> and malware infected a vulnerable PC easily attacks the OpenWRT LuCI interface.
> 

I think this assumes a situation that is true with IoT and embedded 
devices but isn't true for OpenWrt devices.

I mean, someone goes to the length of installing a custom firmware on a 
router/AP/nas/whatever, which involves finding the firmware file, 
finding the procedure to flash it (and in many devices you must use tftp 
or serial or other recovery systems, you cannot flash it from stock web 
interface).
When this firmware starts for the first time the wifi of the device is 
disabled so 90% of the users will very likely want to enable it again.
Any NAS or special function is also disabled or not installed by 
default, so a NAS isn't particularly useful in this stage.

Then after they did that they decide to leave the device as-is with 
default config with LAN/Wan routing and no wifi, which is in most cases 
plain worse than what the stock firmware offers?

I was under the impression that people installing OpenWrt do it because 
they want some of the features, and that 90% of the people really want 
their wifi to be on, so there is very good incentive to learn what is 
that error they see in the browser on first installation and how to 
click on a couple buttons to accept the certificate and proceed to the 
interface where they can actually set up what they wanted to do with 
their device.


> --
> ]               Never tell me the odds!                 | ipv6 mesh networks [
> ]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
> ]     mcr at sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [
> 
> 
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel
>

More information about the openwrt-devel mailing list