I think making use of self-signed certificates in production is a bad idea because (1) it reinforces poor practices, namely electing to trust a self-signed certificate and (2) it does not authenticate the server/router, a critical piece of the TLS security model.
My point of view is that we should delay HTTPS-by-default until we have a scheme for establishing the identity of the router. Until then, we should be honest and make use of HTTP. -- Mike :wq _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
