A proposal of https certificate assignment system for luci
Alberto Bursi
bobafetthotmail at gmail.com
Tue Oct 6 13:20:26 EDT 2020
On 05/10/20 18:38, Michael Richardson wrote:
>
> Fernando Frediani <fhfrediani at gmail.com> wrote:
> > I am not sure click though certificate warning is that much of a
> > security issue in this context neither OpenWrt should have certificates
> > issued by default if I understood it correctly.
>
> > Most people accessing OpenWrt LuCI interface knows what it is and would
> > not find it strange to have to accept a self-signed certificate. Also
> > OpenWrt devices mostly are accessible from internal and restricted
> > networks and not exposed to the Internet. Still if necessary it is
> > still possible to add its own valid certificate to it on those cases
> > where necessary.
>
> So, let me invert your logic to explain the issue.
>
> Because of the lack of certificates, and the hassle with click-through issues
> with self-signed certificates, access to the OpenWRT LuCI interfaces are
> restricted to people who know what it is. Only highly trained people know
> how to accept a self-signed certificate.
I think calling "highly trained people" someone that knows how to click
on two buttons on a web browser interface is a bit too much.
Just add screenshots in the first install tutorial and/or something to
the documentation that explains how to do that in case someone really is
very new and has never needed to accept a self-signed certificate.
>
> As a result, most devices are accessibly only from internal networks, and
> usually never exposed to the Internet. Default passwords remain unchanged,
> and malware infected a vulnerable PC easily attacks the OpenWRT LuCI interface.
>
I think this assumes a situation that is true with IoT and embedded
devices but isn't true for OpenWrt devices.
I mean, someone goes to the length of installing a custom firmware on a
router/AP/nas/whatever, which involves finding the firmware file,
finding the procedure to flash it (and in many devices you must use tftp
or serial or other recovery systems, you cannot flash it from stock web
interface).
When this firmware starts for the first time the wifi of the device is
disabled so 90% of the users will very likely want to enable it again.
Any NAS or special function is also disabled or not installed by
default, so a NAS isn't particularly useful in this stage.
Then after they did that they decide to leave the device as-is with
default config with LAN/Wan routing and no wifi, which is in most cases
plain worse than what the stock firmware offers?
I was under the impression that people installing OpenWrt do it because
they want some of the features, and that 90% of the people really want
their wifi to be on, so there is very good incentive to learn what is
that error they see in the browser on first installation and how to
click on a couple buttons to accept the certificate and proceed to the
interface where they can actually set up what they wanted to do with
their device.
> --
> ] Never tell me the odds! | ipv6 mesh networks [
> ] Michael Richardson, Sandelman Software Works | IoT architect [
> ] mcr at sandelman.ca http://www.sandelman.ca/ | ruby on rails [
>
>
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel
>
More information about the openwrt-devel
mailing list