Seems good to me.
The main question is: most home users will require it ? I don't think
so. But there may be others that may do, so as long http does not
forward to https seems a good approach so those who want can
deliberately use https.
I think as it stands now forcing https only would be a mistake.
For those who don't want to use may build a custom image it should
really be the other way round since we are talking about something not
essential. But as mentioned if there is not space consumption impact and
not forcibly forward it seems a good approach in my view.
Fernando
On 16/05/2021 10:16, Hauke Mehrtens wrote:
<clip>
Hi,
Adding CONFIG_PACKAGE_luci-ssl to the image will add less then 10
KBytes to the image, my initramfs image for an ath79 got 2.2 KBytes
bigger. This is about 0.05% of the image. We already include a full
TLS library and use it for WPA3 and HTTPS downloads.
Probably some extra size if used by the X.509 certificate we generate
at first boot and store on flash.
With the current approach we would offer the web page under
http://192.168.1.1 and https://192.168.1.1 by default, the user can
choose what he would like o use. The http version will not forward to
the https version. https is not deactivated by default, but the user
can choose which url he uses in his browser.
The certificates are not signed by a certificate authority, so the
browser will not trust them by default, but this already protects the
users from a attacker passively listening on the connection between
the browser and the OpenWrt device. The comparison with telnet and ssh
is pretty good. For SSH we "waste" a lot more memory.
I am for activating it, if you do not want to use it, you can build a
custom image with the image builder without luci-ssl and px5g-wolfssl.
Hauke
_______________________________________________
openwrt-devel mailing list
[email protected]
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
