Hello Perry
I didn't understand your suggestion fully.
You wish to put some warning to users who are willing to use https about
the self-signed certificate ou about users using http ?
Regards
Fernando
On 17/09/2021 09:07, Perry wrote:
Hi all,
This issue has come up recently in the Freifunk-Berlin community. We
have brainstormed a little bit and came up with a suggestion.
Would it be possible to have all the headers in the themes to contain a
link to https (iff the correct packages are installed)? A bonus would
be a nice mouse-over explaining to the user about the "potential secure
risk ahead" with regards to the certificate.
Greets,
Perry
On 5/17/21 4:48 PM, Fernando Frediani wrote:
Seems good to me.
The main question is: most home users will require it ? I don't think
so. But there may be others that may do, so as long http does not
forward to https seems a good approach so those who want can
deliberately use https.
I think as it stands now forcing https only would be a mistake.
For those who don't want to use may build a custom image it should
really be the other way round since we are talking about something not
essential. But as mentioned if there is not space consumption impact and
not forcibly forward it seems a good approach in my view.
Fernando
On 16/05/2021 10:16, Hauke Mehrtens wrote:
<clip>
Hi,
Adding CONFIG_PACKAGE_luci-ssl to the image will add less then 10
KBytes to the image, my initramfs image for an ath79 got 2.2 KBytes
bigger. This is about 0.05% of the image. We already include a full
TLS library and use it for WPA3 and HTTPS downloads.
Probably some extra size if used by the X.509 certificate we generate
at first boot and store on flash.
With the current approach we would offer the web page under
http://192.168.1.1 and https://192.168.1.1 by default, the user can
choose what he would like o use. The http version will not forward to
the https version. https is not deactivated by default, but the user
can choose which url he uses in his browser.
The certificates are not signed by a certificate authority, so the
browser will not trust them by default, but this already protects the
users from a attacker passively listening on the connection between
the browser and the OpenWrt device. The comparison with telnet and ssh
is pretty good. For SSH we "waste" a lot more memory.
I am for activating it, if you do not want to use it, you can build a
custom image with the image builder without luci-ssl and px5g-wolfssl.
Hauke
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
