The only reason I see to have HTTPS and certificates in OpenWrt in my
view is to give some layer of security for those accessing the router
via Wifi or over the Internet for example.
And only admins, who have setup the router or work directly with it will
access it (not normal users) so they know well what they are doing to
not find a problem to have a self-signed certificate, or if it's the
case they may deploy (optionally and later on) a Let's Encrypt
certificatate which will be in even fewer cases.
Fernando
On 20/11/2020 12:52, W. Michael Petullo wrote:
I think making use of self-signed certificates in production is a bad
idea because (1) it reinforces poor practices, namely electing to trust
a self-signed certificate and (2) it does not authenticate the
server/router, a critical piece of the TLS security model.
My point of view is that we should delay HTTPS-by-default until we have
a scheme for establishing the identity of the router. Until then, we
should be honest and make use of HTTP.
_______________________________________________
openwrt-devel mailing list
[email protected]
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
