[RFC] self-signed certificates for LuCI

Karl Palsson karlp at tweak.net.au
Tue Sep 1 09:04:22 EDT 2020


Paul Spooren <mail at aparcar.org> wrote:
> Hi team,
> 
> I recently rewrote px5g[1] to use WolfSSL instead of MbedTLS,
> as the former will be included in OpenWrt 20.x per default.

Cool, more options for ssl libraries is always good.

> 
> If px5g is added to the next release, certificates are
> generated on first boot and most users are unlikely to manually
> recreate RSA ones, not?

I urge this [luci using self-signed certs by default] to be
reconsidered. Or at the very least, considered at all, not just
happening by default because the ssl library was included for
WPA3.

With this change, the very first thing users see is a browser
warning telling the user very very very bad things about what
they would have to do to continue, and we are simply going to
train users to "just click through the warnings" I see that as a
serious step backwards for security and society as a whole.

Please consider the threat model. "Classic" out of the box
OpenWrt on a consumer LAN router is only offering LuCI to the LAN
already. If you have a hostile LAN, self signed certificates
aren't helping you. If you have a more complex threat model, you
_already_ need something more than these self signed certs can
offer. Even when they're accepted, the browser offers zero
warning if the certs changed, merely the same "this is self
signed" warning again.

Note that even with the self-signed certs, you still receive
warnings in the browser. This is sacrificing usability and user
experience for security theatre and the checkbox marketting of
"TLS out of the box"

Should we have more documentation on how you _could_ setup secure
HTTP access? Sure! But this isn't it.

Sincerely,
Karl Palsson

* Yes, I completely agree, the browser vendors are the root of the problem, but that's harder to solve, and can't be solved here.  TOFU for private lans would be a good start.
* Just because other vendors have gone for that checkbox and are using self-signed certs is in no way support for doing it, merely agreeing that the situation is bad.
* https://openwrt.org/docs/guide-user/luci/getting_rid_of_luci_https_certificate_warnings is a decent start.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP-digital-signature.html
Type: application/pgp-signature
Size: 1175 bytes
Desc: OpenPGP Digital Signature
URL: <http://lists.openwrt.org/pipermail/openwrt-devel/attachments/20200901/0f45fa07/attachment.sig>


More information about the openwrt-devel mailing list