Hi all, This issue has come up recently in the Freifunk-Berlin community. We have brainstormed a little bit and came up with a suggestion.
Would it be possible to have all the headers in the themes to contain a link to https (iff the correct packages are installed)? A bonus would be a nice mouse-over explaining to the user about the "potential secure risk ahead" with regards to the certificate. Greets, Perry On 5/17/21 4:48 PM, Fernando Frediani wrote: > Seems good to me. > The main question is: most home users will require it ? I don't think > so. But there may be others that may do, so as long http does not > forward to https seems a good approach so those who want can > deliberately use https. > I think as it stands now forcing https only would be a mistake. > > For those who don't want to use may build a custom image it should > really be the other way round since we are talking about something not > essential. But as mentioned if there is not space consumption impact and > not forcibly forward it seems a good approach in my view. > > Fernando > > On 16/05/2021 10:16, Hauke Mehrtens wrote: >> <clip> >> Hi, >> >> Adding CONFIG_PACKAGE_luci-ssl to the image will add less then 10 >> KBytes to the image, my initramfs image for an ath79 got 2.2 KBytes >> bigger. This is about 0.05% of the image. We already include a full >> TLS library and use it for WPA3 and HTTPS downloads. >> Probably some extra size if used by the X.509 certificate we generate >> at first boot and store on flash. >> >> With the current approach we would offer the web page under >> http://192.168.1.1 and https://192.168.1.1 by default, the user can >> choose what he would like o use. The http version will not forward to >> the https version. https is not deactivated by default, but the user >> can choose which url he uses in his browser. >> >> The certificates are not signed by a certificate authority, so the >> browser will not trust them by default, but this already protects the >> users from a attacker passively listening on the connection between >> the browser and the OpenWrt device. The comparison with telnet and ssh >> is pretty good. For SSH we "waste" a lot more memory. >> >> I am for activating it, if you do not want to use it, you can build a >> custom image with the image builder without luci-ssl and px5g-wolfssl. >> >> Hauke > > > _______________________________________________ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/mailman/listinfo/openwrt-devel _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
