[PATCH] uhttpd: Increase default certificate validate from 2 to 10 years

Hauke Mehrtens hauke at hauke-m.de
Sun Aug 30 09:20:16 EDT 2020 

On 8/30/20 3:09 PM, Adrian Schmutzler wrote:
> Hi Hauke,
> 
>> -----Original Message-----
>> From: openwrt-devel [mailto:openwrt-devel-bounces at lists.openwrt.org]
>> On Behalf Of Hauke Mehrtens
>> Sent: Samstag, 29. August 2020 20:33
>> To: openwrt-devel at lists.openwrt.org
>> Cc: Hauke Mehrtens <hauke at hauke-m.de>
>> Subject: [PATCH] uhttpd: Increase default certificate validate from 2 to 10
>> years
>>
>> The user has to accept this specific certificate manually in his browser, the
>> browser does not trust it automatically, in this process the user gets a scary
>> message to approve. I am not aware of a way to improve this initial certificate
>> approval.
>>
>> After the certificate expired the user gets a scary message from his browser
>> again. This message looks very similar to a real Man in the middle (MitM)
>> attack, in the MitM attack the warning would complain about a wrong key, in
>> this case about an expired key. We should avoid that the user gets such
>> messages the more he gets such messages the more likely it is that he will
>> also approve this message when a real MitM attack is happening.
>>
>> When a normal certificate authority is used the user does not get a scary
>> message when the certificate changed as long as it is stilled signed by a CA. In
>> such cases it makes sense to have a short validity period because certificate
>> revocation practically does not work in the Internet. Certificate revocation
>> really does not work for self signed certificates, but exchanging certificates is
>> hard because of the scary messages users see.
>>
>> Even with a certificate validity of 2 years an attacker which has access to the
>> private key could use it for the rest of the time to do MitM attacks, which
>> would not be noticed. If a key gets compromised the user has to manually
>> remove the trust in all SSL clients anyway, no matter if it is valid for 2 or 10
>> years.
>>
>> Lets not increase it to more than 10 years, because the algorithms used in the
>> certificate will probably not be sufficient any more in 10 years.
>>
>> The default self signed SSL certificate for Apache in Debian 10 is also valid for
>> 10 years.
>>
>> To increase the security of the users and also make it more user friendly
>> increase the validity to 10 years.
> 
> I think you have a point, but due to the typical lifetime of our releases I'd choose 5 years.

We should not create a new key and certificate after a sysupgrade, the
old certificate should still be used, otherwise a user would see a scary
warning message from his browser. A user can still replace the key and
certificate before the old one expired without a problem.

Hauke

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openwrt.org/pipermail/openwrt-devel/attachments/20200830/a024d753/attachment-0001.sig>

More information about the openwrt-devel mailing list