On 2020-10-04 15:48, abnoeh wrote:
Few months ago there was some debate for how we handle certificate for
luci page: make user to click though certificate warning is not that
great for security so here is a proposal for autometically assign a
worldwide unique subdomain and how to make valid certificate for it,
and
make sure we and connect to the device he is expecting.
After reading the previous debate (in part) and this one, I'm
wonderering whether we aren't making things more difficult than they
need to be.
A security conscious user/administrator would install a router without
any untrusted computers connected to the LAN side and setup the device
properly before allowing others to connect. The WAN side connection is
not important, as Luci is not listening there by default.
So I think it is reasonably safe to do the initial setup over HTTP
(without the "S") at the first boot if there are no certificates
available from a previous OpenWRT install. Then the user can setup the
WAN side if needed and upload (from local PC), generate (self-signed) or
acquire (e.g. Let's Encrypt) the certificates for Luci. After that, the
connection is switched to HTTPS and HTTP switched off.
The only issue I see, is how to transfer admin, WAN and WiFi passwords
at first boot in a secure way. Even though the user/admin should be
alone on the connection, sending those unencrypted over the line is not
desirable. Maybe those can be encrypted using client side javascript.
The challenges IMHO are being able to safely retain previously installed
certificates over OpenWRT reflashes/upgrades and having user friendly
tools to get new certificates uploaded, generated or acquired. For the
latter part, some configurable service to periodically download and
install certificates from an external host might be desirable (that's
how I do it with my NAS boxes at home).
Cheers,
Bas.
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
