A proposal of https certificate assignment system for luci
Michael Richardson
mcr at sandelman.ca
Mon Oct 5 12:38:50 EDT 2020
Fernando Frediani <fhfrediani at gmail.com> wrote:
> I am not sure click though certificate warning is that much of a
> security issue in this context neither OpenWrt should have certificates
> issued by default if I understood it correctly.
> Most people accessing OpenWrt LuCI interface knows what it is and would
> not find it strange to have to accept a self-signed certificate. Also
> OpenWrt devices mostly are accessible from internal and restricted
> networks and not exposed to the Internet. Still if necessary it is
> still possible to add its own valid certificate to it on those cases
> where necessary.
So, let me invert your logic to explain the issue.
Because of the lack of certificates, and the hassle with click-through issues
with self-signed certificates, access to the OpenWRT LuCI interfaces are
restricted to people who know what it is. Only highly trained people know
how to accept a self-signed certificate.
As a result, most devices are accessibly only from internal networks, and
usually never exposed to the Internet. Default passwords remain unchanged,
and malware infected a vulnerable PC easily attacks the OpenWRT LuCI interface.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | IoT architect [
] mcr at sandelman.ca http://www.sandelman.ca/ | ruby on rails [
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <http://lists.openwrt.org/pipermail/openwrt-devel/attachments/20201005/62ee66e7/attachment.sig>
More information about the openwrt-devel
mailing list