A proposal of https certificate assignment system for luci

Michael Richardson mcr at sandelman.ca
Tue Oct 6 13:43:29 EDT 2020


Alberto Bursi <bobafetthotmail at gmail.com> wrote:
    >> Fernando Frediani <fhfrediani at gmail.com> wrote: > I am not sure click
    >> though certificate warning is that much of a > security issue in this
    >> context neither OpenWrt should have certificates > issued by default
    >> if I understood it correctly.
    >>
    >> > Most people accessing OpenWrt LuCI interface knows what it is and
    >> would > not find it strange to have to accept a self-signed
    >> certificate.  Also > OpenWrt devices mostly are accessible from
    >> internal and restricted > networks and not exposed to the
    >> Internet. Still if necessary it is > still possible to add its own
    >> valid certificate to it on those cases > where necessary.
    >>
    >> So, let me invert your logic to explain the issue.
    >>
    >> Because of the lack of certificates, and the hassle with click-through
    >> issues with self-signed certificates, access to the OpenWRT LuCI
    >> interfaces are restricted to people who know what it is.  Only highly
    >> trained people know how to accept a self-signed certificate.

    > I think calling "highly trained people" someone that knows how to click
    > on two buttons on a web browser interface is a bit too much.

That's not the point.
in fact, it's entirely opposite of the point.

The *training* is knowing when you can click on the two+ buttons, and when it
is imprudent to do so.
The mechanics of the clicking is entirely irrelevant.

Training users to click through those warnings is exactly what browser makers
are trying to avoid, and browser makers have been trying to make the
exception harder and harder to find.  Many would like it removed.
And, for good reason, because it is almost always inappropriate for most
non-technical users to do that.  [Children, (grand)parents, etc...]

So, honestly, anyone that needs screenshots to figure it out, should never be
clicking through the links.

    > I mean, someone goes to the length of installing a custom firmware on a
    > router/AP/nas/whatever, which involves finding the firmware file,
    > finding the procedure to flash it (and in many devices you must use

So, just to be clear, are you saying that we should design openwrt to only be
useable by developers?

Home routers are critical parts of the home IoT ecosystem.
OpenWRT is shipped in millions of devices by manufacturers too lazy to bother
doing much.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     mcr at sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <http://lists.openwrt.org/pipermail/openwrt-devel/attachments/20201006/c684f5d7/attachment.sig>


More information about the openwrt-devel mailing list