A proposal of https certificate assignment system for luci

Alberto Bursi bobafetthotmail at gmail.com
Wed Oct 7 18:01:05 EDT 2020 


On 07/10/20 04:01, Daniel Golle wrote:
> Hi Alberto,
> Hi Michael,
> Hi everyone else,
> 
> I don't understand how your argument is related to that pretty nice
> suggestion regarding a fairly complex and (unfortunately) relevant
> problem.

It is relevant because it's asking how big of a problem it actually is 
to maintain the current status quo of accepting the warnings with the 
buttons.

In my opinion, until the browsers start blocking the connection to sites 
with self-signed certificates, this is a non-issue because the userbase 
is tech-savyy enough to read the wiki and follow a tutorial, since they 
are already following a tutorial to install OpenWrt to begin with.

> Apart from it being hard to proof that people wanting to access the
> configuration (and status!) interface of a device running OpenWrt (or
> something based on it) are all prosumers or developers, for future
> users this assumption even has the taste of a self fullfilling
> prophecy.

Hard to proof? I thought it was obvious enough. Is the following 
situation different where you live?

Where I live (Italy), the devices from all ISPs have always been 
pre-configured since ages ago, wifi is always enabled and the 
device-specific wifi key is on a sticker under the device, also WPS 
functionality is commonly available with a button.
They never ever have to open its configuration panels to do anything, 
just connect the cables and power plug.
A few ISPs don't even provide passwords for their device web interface 
and their tech support people will remote-control them to enable or 
disable features (open ports and add rules and whatnot) as requested by 
the customer on the phone.

For devices that aren't provided by the ISPs, basic stuff like setting 
up a guest wifi or sharing a USB device are one-button wizards that just 
ask the network name and password, or what is the USB device you want to 
share.

All devices with a SIM card slot and modem are plug-and-play aka you 
just insert a SIM without the PIN and power on, and everything works.

Also most devices have a selector in the web interface that allows to 
turn them into three modes: wifi AP, wifi repeater, router
and reconfigures a bunch of stuff under the hood.

On OpenWrt the user experience is very different from that, and I don't 
think it's a stretch to assume that it is filtering the userbase.

We start by installing a custom firmware on a device, sometimes easy 
sometimes hard. The entire concept of doing that already filters out 
many non-tech-savyy people.
If we talk of OpenWrt used on ISP-provided devices, it's usually a 
pre-configured plug-and-play system that the end user never looks at again.

Then you must set up the wifi network, no wizard. It's assumed you know 
how to do it or read the wiki.

Changing "mode" of the device require multiple steps of configuration on 
OpenWrt, sometimes can only be done from commandline. Again, it's 
assumed you know how to do it or have RTFM.

Many features require to copy-paste console commands and/or follow a 
tutorial from the wiki to do this or that. Even basic stuff like setting 
up a guest wifi require multiple steps of configuration setting new 
interfaces, new firewall rules and whatnot.
Connecting and sharing a USB drive? Yay, more steps to connect it, 
install drivers, mount it, set up Samba on the folder it is mounted on.
Using devices that have an integrated 3G/LTE modem? More configuration.
You want to set up a RAID on a NAS device? commandline only, baby.

All proposals for making a default wifi with device-specific passwords 
have been shot down, and wifi isn't enabled even in devices where there 
are no other interfaces, forcing you to use serial for first 
configuration, which is even funnier for the poor souls that install 
OpenWrt in such devices.

So, please explain how clicking on two buttons on the browser when 
connecting the first time matters for people that can deal with the 
above on their own (and therefore know stuff) or are already 100% 
following and trusting a wiki tutorial to install OpenWrt and set up 
their device.

As I already said, just add a couple screenshots and instructions in the 
install guide and it's fine.

> 
> A truely good solution to the actual problem imho doesn't exist
> (because https://youbroketheinternet.org/ )
> 

The only decent solution, and also more user-friendly and easy to expand 
imho is Android/iOS apps. With that you can bypass all the certificate 
mafia bs and do your own thing.
It does not need a backend on the devices either as it can just rely on 
a simple ssh interface to actually talk to the device and send direct 
commands.

That's what most manufacturers are moving towards, like for example GL.Inet
https://www.gl-inet.com/solutions/app/

but also TP-link with "TP-link Tether"
Netgear with "Netgear Genie" and "Nighthawk" and "Orbi"
and so on and so forth.

-Alberto

More information about the openwrt-devel mailing list