Activate https server support in 21.02 by default

Perry isprotejesvalkata at gmail.com
Sun Sep 19 01:46:49 PDT 2021


Hi Fernando,

Sorry for any confusion.  Our suggestion has two parts. 1) a link in the
header which allows the user to go from http to https. 2) a mouse-over
message explaining self-signed certificates.

Part 2 is a bonus.  But I think it would be really nice.  An
inexperienced user might worry when Firefox presents the message
"potential security risk ahead".

Greets,
Perry

On 9/18/21 10:21 PM, Fernando Frediani wrote:
> Hello Perry
> 
> I didn't understand your suggestion fully.
> 
> You wish to put some warning to users who are willing to use https about
> the self-signed certificate ou about users using http ?
> 
> Regards
> Fernando
> 
> On 17/09/2021 09:07, Perry wrote:
>> Hi all,
>>
>> This issue has come up recently in the Freifunk-Berlin community.  We
>> have brainstormed a little bit and came up with a suggestion.
>>
>> Would it be possible to have all the headers in the themes to contain a
>> link to https (iff the correct packages are installed)?  A bonus would
>> be a nice mouse-over explaining to the user about the "potential secure
>> risk ahead" with regards to the certificate.
>>
>> Greets,
>> Perry
>>
>> On 5/17/21 4:48 PM, Fernando Frediani wrote:
>>> Seems good to me.
>>> The main question is: most home users will require it ? I don't think
>>> so. But there may be others that may do, so as long http does not
>>> forward to https seems a good approach so those who want can
>>> deliberately use https.
>>> I think as it stands now forcing https only would be a mistake.
>>>
>>> For those who don't want to use may build a custom image it should
>>> really be the other way round since we are talking about something not
>>> essential. But as mentioned if there is not space consumption impact and
>>> not forcibly forward it seems a good approach in my view.
>>>
>>> Fernando
>>>
>>> On 16/05/2021 10:16, Hauke Mehrtens wrote:
>>>> <clip>
>>>> Hi,
>>>>
>>>> Adding CONFIG_PACKAGE_luci-ssl to the image will add less then 10
>>>> KBytes to the image, my initramfs image for an ath79 got 2.2 KBytes
>>>> bigger. This is about 0.05% of the image. We already include a full
>>>> TLS library and use it for WPA3 and HTTPS downloads.
>>>> Probably some extra size if used by the X.509 certificate we generate
>>>> at first boot and store on flash.
>>>>
>>>> With the current approach we would offer the web page under
>>>> http://192.168.1.1 and https://192.168.1.1 by default, the user can
>>>> choose what he would like o use. The http version will not forward to
>>>> the https version. https is not deactivated by default, but the user
>>>> can choose which url he uses in his browser.
>>>>
>>>> The certificates are not signed by a certificate authority, so the
>>>> browser will not trust them by default, but this already protects the
>>>> users from a attacker passively listening on the connection between
>>>> the browser and the OpenWrt device. The comparison with telnet and ssh
>>>> is pretty good. For SSH we "waste" a lot more memory.
>>>>
>>>> I am for activating it, if you do not want to use it, you can build a
>>>> custom image with the image builder without luci-ssl and px5g-wolfssl.
>>>>
>>>> Hauke
>>>
>>> _______________________________________________
>>> openwrt-devel mailing list
>>> openwrt-devel at lists.openwrt.org
>>> https://lists.openwrt.org/mailman/listinfo/openwrt-devel
>> _______________________________________________
>> openwrt-devel mailing list
>> openwrt-devel at lists.openwrt.org
>> https://lists.openwrt.org/mailman/listinfo/openwrt-devel
> 
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel



More information about the openwrt-devel mailing list