20.xx: postponse LuCI HTTPS per default

Fernando Frediani fhfrediani at gmail.com
Fri Nov 20 11:39:33 EST 2020


Hi. I don't really see having HTTPS by default as something that make 
such a difference for most common users nor as a major security issue in 
the context it is used at the cost it puts, which may seems not too much 
but I always think of the very minimal for a default image and HTTPS 
isn't something really necessary for I would say most scenarios. Again I 
am not against using HTTPS but rather leaving it as optional for those 
who really want to enable. So not really concerned about the low flash 
devices, but because this will be yet another thing to increase the size 
of the default image.

On 20/11/2020 13:32, Alberto Bursi wrote:
>
>
> On 20/11/20 17:17, Fernando Frediani wrote:
>> Hi Alberto
>>
>> On 20/11/2020 13:09, Alberto Bursi wrote:
>>>
>>> <clip>
>>>
>>> The only thing I can accept as a valid complaint against https by 
>>> default is the increased minimum space requirements, everything else 
>>> I really don't understand nor agree with.
>>
>> It's exactly this I am referring to when I talk about the extras not 
>> the steps the user will take to enable it. So why I mentioned to 
>> leave it as optional and easy to do for those who wish (and have 
>> space) to have it.
>>
>
> Devices with low flash space (and RAM) are already receiving special 
> treatment (different compile options, different default packages) to 
> lower space footprint.
>
> These devices can (should?) be left out of the "https by default" easily.
>
> But I would be strongly against degrading security for everyone just 
> because of these devices.
>
> -Alberto
>
>> Regards
>> Fernando
>>
>>>
>>>
>>>> Yes it is nice to have everything ready and automated to be done 
>>>> with a few clicks for those cases that require it. In fact I think 
>>>> this would be a better solution for now so it will be possible to 
>>>> gather gradually this transition (or not) from HTTP to HTTPS even 
>>>> for local/lan applications and see how often people would opt to 
>>>> use it.
>>>>
>>>> Still should it end up having HTTPS by default I see self-signed 
>>>> certificates are the way to go. Yes there are the warnings and I 
>>>> really don't think there is any issue with it.
>>>> Those accessing the router Web Interface are not 'normal' Internet 
>>>> users and they know what they are doing so the warning from 
>>>> self-signed certificates should not be a surprise for them.
>>>> And those cases when admins prefer they can always replace the 
>>>> self-signed one for Let's Encrypt for example.
>>>>
>>>> Regards
>>>> Fernando
>>>
>>>
>>> -Alberto
>>>
>>> _______________________________________________
>>> openwrt-devel mailing list
>>> openwrt-devel at lists.openwrt.org
>>> https://lists.openwrt.org/mailman/listinfo/openwrt-devel
>>
>> _______________________________________________
>> openwrt-devel mailing list
>> openwrt-devel at lists.openwrt.org
>> https://lists.openwrt.org/mailman/listinfo/openwrt-devel
>
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel



More information about the openwrt-devel mailing list