Hi Fernando, Sorry for any confusion. Our suggestion has two parts. 1) a link in the header which allows the user to go from http to https. 2) a mouse-over message explaining self-signed certificates.
Part 2 is a bonus. But I think it would be really nice. An inexperienced user might worry when Firefox presents the message "potential security risk ahead". Greets, Perry On 9/18/21 10:21 PM, Fernando Frediani wrote: > Hello Perry > > I didn't understand your suggestion fully. > > You wish to put some warning to users who are willing to use https about > the self-signed certificate ou about users using http ? > > Regards > Fernando > > On 17/09/2021 09:07, Perry wrote: >> Hi all, >> >> This issue has come up recently in the Freifunk-Berlin community. We >> have brainstormed a little bit and came up with a suggestion. >> >> Would it be possible to have all the headers in the themes to contain a >> link to https (iff the correct packages are installed)? A bonus would >> be a nice mouse-over explaining to the user about the "potential secure >> risk ahead" with regards to the certificate. >> >> Greets, >> Perry >> >> On 5/17/21 4:48 PM, Fernando Frediani wrote: >>> Seems good to me. >>> The main question is: most home users will require it ? I don't think >>> so. But there may be others that may do, so as long http does not >>> forward to https seems a good approach so those who want can >>> deliberately use https. >>> I think as it stands now forcing https only would be a mistake. >>> >>> For those who don't want to use may build a custom image it should >>> really be the other way round since we are talking about something not >>> essential. But as mentioned if there is not space consumption impact and >>> not forcibly forward it seems a good approach in my view. >>> >>> Fernando >>> >>> On 16/05/2021 10:16, Hauke Mehrtens wrote: >>>> <clip> >>>> Hi, >>>> >>>> Adding CONFIG_PACKAGE_luci-ssl to the image will add less then 10 >>>> KBytes to the image, my initramfs image for an ath79 got 2.2 KBytes >>>> bigger. This is about 0.05% of the image. We already include a full >>>> TLS library and use it for WPA3 and HTTPS downloads. >>>> Probably some extra size if used by the X.509 certificate we generate >>>> at first boot and store on flash. >>>> >>>> With the current approach we would offer the web page under >>>> http://192.168.1.1 and https://192.168.1.1 by default, the user can >>>> choose what he would like o use. The http version will not forward to >>>> the https version. https is not deactivated by default, but the user >>>> can choose which url he uses in his browser. >>>> >>>> The certificates are not signed by a certificate authority, so the >>>> browser will not trust them by default, but this already protects the >>>> users from a attacker passively listening on the connection between >>>> the browser and the OpenWrt device. The comparison with telnet and ssh >>>> is pretty good. For SSH we "waste" a lot more memory. >>>> >>>> I am for activating it, if you do not want to use it, you can build a >>>> custom image with the image builder without luci-ssl and px5g-wolfssl. >>>> >>>> Hauke >>> >>> _______________________________________________ >>> openwrt-devel mailing list >>> openwrt-devel@lists.openwrt.org >>> https://lists.openwrt.org/mailman/listinfo/openwrt-devel >> _______________________________________________ >> openwrt-devel mailing list >> openwrt-devel@lists.openwrt.org >> https://lists.openwrt.org/mailman/listinfo/openwrt-devel > > _______________________________________________ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/mailman/listinfo/openwrt-devel _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
