On Fri Nov 20, 2020 at 7:35 AM HST, Adrian Schmutzler wrote: > Hi, > > > -----Original Message----- > > From: openwrt-devel [mailto:[email protected]] > > On Behalf Of Alberto Bursi > > Sent: Freitag, 20. November 2020 17:32 > > To: [email protected] > > Subject: Re: 20.xx: postponse LuCI HTTPS per default > > > > > > > > On 20/11/20 17:17, Fernando Frediani wrote: > > > Hi Alberto > > > > > > On 20/11/2020 13:09, Alberto Bursi wrote: > > >> > > >> <clip> > > >> > > >> The only thing I can accept as a valid complaint against https by > > >> default is the increased minimum space requirements, everything else > > >> I really don't understand nor agree with. > > > > > > It's exactly this I am referring to when I talk about the extras not > > > the steps the user will take to enable it. So why I mentioned to leave > > > it as optional and easy to do for those who wish (and have space) to have > > it. > > > > > > > Devices with low flash space (and RAM) are already receiving special > > treatment (different compile options, different default packages) to lower > > space footprint. > > > > These devices can (should?) be left out of the "https by default" easily. > > No, this is not an option. We certainly won't have (read "maintain") > _two_ defaults for a matter like this. > > Apart from that, this discussion was not intended to discuss the various > options _again_, but to ask whether we should have "https by default" as > a _blocker_ for the next release. > Personally, since the discussion seems to be as open and unresolved as a > few months ago, I'm against making this a blocker. I'm curious where the > whole topic evolves to, but that's not the subject of this thread.
How about we use `luci-ssl` per default but set `redirect_https` to 0. This way everyone can access in a secure way, without changing the current user experience. An optional combination of Luiz idea could warn the users using HTTP, allowing to "ignore" or "activate redirect". I think that's a feasible solution for 20.xx. Spinning up a massive HTTPS dDNS or defining a new standard accepted in all common browsers seems a bit out of scope, for now. Paul > > Best > > Adrian > > > > > But I would be strongly against degrading security for everyone just because > > of these devices. > > > > -Alberto > > > > > Regards > > > Fernando > > > > > >> > > >> > > >>> Yes it is nice to have everything ready and automated to be done > > >>> with a few clicks for those cases that require it. In fact I think > > >>> this would be a better solution for now so it will be possible to > > >>> gather gradually this transition (or not) from HTTP to HTTPS even > > >>> for local/lan applications and see how often people would opt to use it. > > >>> > > >>> Still should it end up having HTTPS by default I see self-signed > > >>> certificates are the way to go. Yes there are the warnings and I > > >>> really don't think there is any issue with it. > > >>> Those accessing the router Web Interface are not 'normal' Internet > > >>> users and they know what they are doing so the warning from > > >>> self-signed certificates should not be a surprise for them. > > >>> And those cases when admins prefer they can always replace the > > >>> self-signed one for Let's Encrypt for example. > > >>> > > >>> Regards > > >>> Fernando > > >> > > >> > > >> -Alberto > > >> > > >> _______________________________________________ > > >> openwrt-devel mailing list > > >> [email protected] > > >> https://lists.openwrt.org/mailman/listinfo/openwrt-devel > > > > > > _______________________________________________ > > > openwrt-devel mailing list > > > [email protected] > > > https://lists.openwrt.org/mailman/listinfo/openwrt-devel > > > > _______________________________________________ > > openwrt-devel mailing list > > [email protected] > > https://lists.openwrt.org/mailman/listinfo/openwrt-devel _______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/mailman/listinfo/openwrt-devel
