20.xx: postponse LuCI HTTPS per default

Georgi Valkov gvalkov at abv.bg
Fri Nov 20 03:08:12 EST 2020 

> From: Michael Richardson <mcr at sandelman.ca>
> Subject: Re: 20.xx: postponse LuCI HTTPS per default
> Date: 2020-11-20, 7:26:44 AM EET
> To: "Paul Spooren" <mail at aparcar.org>, openwrt-devel at lists.openwrt.org
> 
> 
> 
> Paul Spooren <mail at aparcar.org> wrote:
>> The current list of release goals for 20.xx states[0] that LuCI should
>> use HTTPS per default. This works by creating on-device a self-signed
>> certificate. Self-signed certificates result in warnings and may cause
>> more harm than good, multiple discussion are found in the mail archive.
> 
>> As no clean solution seems in reach while 20.xx seems close, I'd like to
>> suggest to postponse HTTPS LuCI (`luci-ssl` vs `luci`) per default.
> 
>> This isn't a vote but a request for developer/user opinions.
> 
> I agree with postponing this.
> I think that we need to do some work on this problem.
> This is a subset (an easier subset actually) of a general IoT onboarding problem.
> 
> I would like to form a design-team to figure out what we can do in practice,
> and I would be happy to lead/act-as-convenor it via a series online working
> meetings if the group wants.
> 
> The need for a PPPoE username/password is one of the challenges.

I think we should keep the non-secure HTTP available as a fallback,
because some web browsers, may refuse to connect to self-signed certificates.
The following changes would keep compatibility, yet also help users switch to the
secure interface.
* If using HTTP at the login page, display a link to the HTTPS login.
* Also display a link with some help: Why HTTPS is important.
* The help should explain the warning about unsigned certificates.
* Avoid automatic permanent redirect to HTTPS unless the user wants this.
* The design should be easy to notice, yet not intrusive.

Regarding the idea to use Let’s Encrypt, in theory part of the process can be
automated, but OpenWRT still has to know the DNS name of the site.
If Let’s Encrypt integration is provided, it would be better to enable and configure
it manually. After that the system can update its certificate using a cron task.


Georgi Valkov

More information about the openwrt-devel mailing list