A proposal of https certificate assignment system for luci

[Bas Mevissen]

On 2020-10-04 15:48, abnoeh wrote:
> Few months ago there was some debate for how we handle certificate for
> luci page: make user to click though certificate warning is not that
> great for security so here is a  proposal for autometically assign a
> worldwide unique subdomain and how to make valid certificate for it, 
> and
> make sure we and connect to the device he is expecting.
> 

After reading the previous debate (in part) and this one, I'm 
wonderering whether we aren't making things more difficult than they 
need to be.

A security conscious user/administrator would install a router without 
any untrusted computers connected to the LAN side and setup the device 
properly before allowing others to connect. The WAN side connection is 
not important, as Luci is not listening there by default.

So I think it is reasonably safe to do the initial setup over HTTP 
(without the "S") at the first boot if there are no certificates 
available from a previous OpenWRT install. Then the user can setup the 
WAN side if needed and upload (from local PC), generate (self-signed) or 
acquire (e.g. Let's Encrypt) the certificates for Luci. After that, the 
connection is switched to HTTPS and HTTP switched off.

The only issue I see, is how to transfer admin, WAN and WiFi passwords 
at first boot in a secure way. Even though the user/admin should be 
alone on the connection, sending those unencrypted over the line is not 
desirable. Maybe those can be encrypted using client side javascript.

The challenges IMHO are being able to safely retain previously installed 
certificates over OpenWRT reflashes/upgrades and having user friendly 
tools to get new certificates uploaded, generated or acquired. For the 
latter part, some configurable service to periodically download and 
install certificates from an external host might be desirable (that's 
how I do it with my NAS boxes at home).

Cheers,

Bas.