Paul Spooren <m...@aparcar.org> wrote: > Hi team, > > I recently rewrote px5g[1] to use WolfSSL instead of MbedTLS, > as the former will be included in OpenWrt 20.x per default.
Cool, more options for ssl libraries is always good. > > If px5g is added to the next release, certificates are > generated on first boot and most users are unlikely to manually > recreate RSA ones, not? I urge this [luci using self-signed certs by default] to be reconsidered. Or at the very least, considered at all, not just happening by default because the ssl library was included for WPA3. With this change, the very first thing users see is a browser warning telling the user very very very bad things about what they would have to do to continue, and we are simply going to train users to "just click through the warnings" I see that as a serious step backwards for security and society as a whole. Please consider the threat model. "Classic" out of the box OpenWrt on a consumer LAN router is only offering LuCI to the LAN already. If you have a hostile LAN, self signed certificates aren't helping you. If you have a more complex threat model, you _already_ need something more than these self signed certs can offer. Even when they're accepted, the browser offers zero warning if the certs changed, merely the same "this is self signed" warning again. Note that even with the self-signed certs, you still receive warnings in the browser. This is sacrificing usability and user experience for security theatre and the checkbox marketting of "TLS out of the box" Should we have more documentation on how you _could_ setup secure HTTP access? Sure! But this isn't it. Sincerely, Karl Palsson * Yes, I completely agree, the browser vendors are the root of the problem, but that's harder to solve, and can't be solved here. TOFU for private lans would be a good start. * Just because other vendors have gone for that checkbox and are using self-signed certs is in no way support for doing it, merely agreeing that the situation is bad. * https://openwrt.org/docs/guide-user/luci/getting_rid_of_luci_https_certificate_warnings is a decent start.
OpenPGP-digital-signature.html
Description: OpenPGP Digital Signature
_______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
