Bas Mevissen <ab...@basmevissen.nl> wrote:
> A security conscious user/administrator would install a router without any
> untrusted computers connected to the LAN side and setup the device
properly
> before allowing others to connect. The WAN side connection is not
important,
> as Luci is not listening there by default.
sure.
What do security unconcious people do?
> previous OpenWRT install. Then the user can setup the WAN side if needed
and
> upload (from local PC), generate (self-signed) or acquire (e.g. Let's
> Encrypt) the certificates for Luci. After that, the connection is
switched to
> HTTPS and HTTP switched off.
This is a a good story, but it doesn't have to be the only story.
> The only issue I see, is how to transfer admin, WAN and WiFi passwords at
> first boot in a secure way. Even though the user/admin should be alone on
the
> connection, sending those unencrypted over the line is not desirable.
Maybe
> those can be encrypted using client side javascript.
There is nothing you can with javascript here that wouldn't just be
security threatre. If you had anchors you could trust, then it would be done.
> The challenges IMHO are being able to safely retain previously installed
> certificates over OpenWRT reflashes/upgrades and having user friendly
tools
> to get new certificates uploaded, generated or acquired. For the latter
part,
> some configurable service to periodically download and install
certificates
> from an external host might be desirable (that's how I do it with my NAS
> boxes at home).
You need a name is DNS, then it's just a dns-01 challenge.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | IoT architect [
] m...@sandelman.ca http://www.sandelman.ca/ | ruby on rails [
signature.asc
Description: PGP signature
_______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
