On 8/30/20 3:09 PM, Adrian Schmutzler wrote: > Hi Hauke, > >> -----Original Message----- >> From: openwrt-devel [mailto:openwrt-devel-boun...@lists.openwrt.org] >> On Behalf Of Hauke Mehrtens >> Sent: Samstag, 29. August 2020 20:33 >> To: openwrt-devel@lists.openwrt.org >> Cc: Hauke Mehrtens <ha...@hauke-m.de> >> Subject: [PATCH] uhttpd: Increase default certificate validate from 2 to 10 >> years >> >> The user has to accept this specific certificate manually in his browser, the >> browser does not trust it automatically, in this process the user gets a >> scary >> message to approve. I am not aware of a way to improve this initial >> certificate >> approval. >> >> After the certificate expired the user gets a scary message from his browser >> again. This message looks very similar to a real Man in the middle (MitM) >> attack, in the MitM attack the warning would complain about a wrong key, in >> this case about an expired key. We should avoid that the user gets such >> messages the more he gets such messages the more likely it is that he will >> also approve this message when a real MitM attack is happening. >> >> When a normal certificate authority is used the user does not get a scary >> message when the certificate changed as long as it is stilled signed by a >> CA. In >> such cases it makes sense to have a short validity period because certificate >> revocation practically does not work in the Internet. Certificate revocation >> really does not work for self signed certificates, but exchanging >> certificates is >> hard because of the scary messages users see. >> >> Even with a certificate validity of 2 years an attacker which has access to >> the >> private key could use it for the rest of the time to do MitM attacks, which >> would not be noticed. If a key gets compromised the user has to manually >> remove the trust in all SSL clients anyway, no matter if it is valid for 2 >> or 10 >> years. >> >> Lets not increase it to more than 10 years, because the algorithms used in >> the >> certificate will probably not be sufficient any more in 10 years. >> >> The default self signed SSL certificate for Apache in Debian 10 is also >> valid for >> 10 years. >> >> To increase the security of the users and also make it more user friendly >> increase the validity to 10 years. > > I think you have a point, but due to the typical lifetime of our releases I'd > choose 5 years.
We should not create a new key and certificate after a sysupgrade, the old certificate should still be used, otherwise a user would see a scary warning message from his browser. A user can still replace the key and certificate before the old one expired without a problem. Hauke
signature.asc
Description: OpenPGP digital signature
_______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
