A proposal of https certificate assignment system for luci

Michael Richardson mcr at sandelman.ca
Sat Oct 10 18:58:27 EDT 2020 

Bas Mevissen <abuse at basmevissen.nl> wrote:
    > A security conscious user/administrator would install a router without any
    > untrusted computers connected to the LAN side and setup the device properly
    > before allowing others to connect. The WAN side connection is not important,
    > as Luci is not listening there by default.

sure.
What do security unconcious people do?

    > previous OpenWRT install. Then the user can setup the WAN side if needed and
    > upload (from local PC), generate (self-signed) or acquire (e.g. Let's
    > Encrypt) the certificates for Luci. After that, the connection is switched to
    > HTTPS and HTTP switched off.

This is a a good story, but it doesn't have to be the only story.

    > The only issue I see, is how to transfer admin, WAN and WiFi passwords at
    > first boot in a secure way. Even though the user/admin should be alone on the
    > connection, sending those unencrypted over the line is not desirable. Maybe
    > those can be encrypted using client side javascript.

There is nothing you can with javascript here that wouldn't just be
security threatre.  If you had anchors you could trust, then it would be done.

    > The challenges IMHO are being able to safely retain previously installed
    > certificates over OpenWRT reflashes/upgrades and having user friendly tools
    > to get new certificates uploaded, generated or acquired. For the latter part,
    > some configurable service to periodically download and install certificates
    > from an external host might be desirable (that's how I do it with my NAS
    > boxes at home).

You need a name is DNS, then it's just a dns-01 challenge.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     mcr at sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <http://lists.openwrt.org/pipermail/openwrt-devel/attachments/20201010/5ac6fe13/attachment.sig>

More information about the openwrt-devel mailing list