A proposal of https certificate assignment system for luci
Alberto Bursi
bobafetthotmail at gmail.com
Wed Oct 7 18:01:05 EDT 2020
On 07/10/20 04:01, Daniel Golle wrote:
> Hi Alberto,
> Hi Michael,
> Hi everyone else,
>
> I don't understand how your argument is related to that pretty nice
> suggestion regarding a fairly complex and (unfortunately) relevant
> problem.
It is relevant because it's asking how big of a problem it actually is
to maintain the current status quo of accepting the warnings with the
buttons.
In my opinion, until the browsers start blocking the connection to sites
with self-signed certificates, this is a non-issue because the userbase
is tech-savyy enough to read the wiki and follow a tutorial, since they
are already following a tutorial to install OpenWrt to begin with.
> Apart from it being hard to proof that people wanting to access the
> configuration (and status!) interface of a device running OpenWrt (or
> something based on it) are all prosumers or developers, for future
> users this assumption even has the taste of a self fullfilling
> prophecy.
Hard to proof? I thought it was obvious enough. Is the following
situation different where you live?
Where I live (Italy), the devices from all ISPs have always been
pre-configured since ages ago, wifi is always enabled and the
device-specific wifi key is on a sticker under the device, also WPS
functionality is commonly available with a button.
They never ever have to open its configuration panels to do anything,
just connect the cables and power plug.
A few ISPs don't even provide passwords for their device web interface
and their tech support people will remote-control them to enable or
disable features (open ports and add rules and whatnot) as requested by
the customer on the phone.
For devices that aren't provided by the ISPs, basic stuff like setting
up a guest wifi or sharing a USB device are one-button wizards that just
ask the network name and password, or what is the USB device you want to
share.
All devices with a SIM card slot and modem are plug-and-play aka you
just insert a SIM without the PIN and power on, and everything works.
Also most devices have a selector in the web interface that allows to
turn them into three modes: wifi AP, wifi repeater, router
and reconfigures a bunch of stuff under the hood.
On OpenWrt the user experience is very different from that, and I don't
think it's a stretch to assume that it is filtering the userbase.
We start by installing a custom firmware on a device, sometimes easy
sometimes hard. The entire concept of doing that already filters out
many non-tech-savyy people.
If we talk of OpenWrt used on ISP-provided devices, it's usually a
pre-configured plug-and-play system that the end user never looks at again.
Then you must set up the wifi network, no wizard. It's assumed you know
how to do it or read the wiki.
Changing "mode" of the device require multiple steps of configuration on
OpenWrt, sometimes can only be done from commandline. Again, it's
assumed you know how to do it or have RTFM.
Many features require to copy-paste console commands and/or follow a
tutorial from the wiki to do this or that. Even basic stuff like setting
up a guest wifi require multiple steps of configuration setting new
interfaces, new firewall rules and whatnot.
Connecting and sharing a USB drive? Yay, more steps to connect it,
install drivers, mount it, set up Samba on the folder it is mounted on.
Using devices that have an integrated 3G/LTE modem? More configuration.
You want to set up a RAID on a NAS device? commandline only, baby.
All proposals for making a default wifi with device-specific passwords
have been shot down, and wifi isn't enabled even in devices where there
are no other interfaces, forcing you to use serial for first
configuration, which is even funnier for the poor souls that install
OpenWrt in such devices.
So, please explain how clicking on two buttons on the browser when
connecting the first time matters for people that can deal with the
above on their own (and therefore know stuff) or are already 100%
following and trusting a wiki tutorial to install OpenWrt and set up
their device.
As I already said, just add a couple screenshots and instructions in the
install guide and it's fine.
>
> A truely good solution to the actual problem imho doesn't exist
> (because https://youbroketheinternet.org/ )
>
The only decent solution, and also more user-friendly and easy to expand
imho is Android/iOS apps. With that you can bypass all the certificate
mafia bs and do your own thing.
It does not need a backend on the devices either as it can just rely on
a simple ssh interface to actually talk to the device and send direct
commands.
That's what most manufacturers are moving towards, like for example GL.Inet
https://www.gl-inet.com/solutions/app/
but also TP-link with "TP-link Tether"
Netgear with "Netgear Genie" and "Nighthawk" and "Orbi"
and so on and so forth.
-Alberto
More information about the openwrt-devel
mailing list