Petr Štetiar [2020-11-20 11:44:14]:
> > I'd like to suggest to postponse HTTPS LuCI (`luci-ssl` vs `luci`) per
> > default.
>
> Do we need to make this hard decission? Can't we leave it to the end users?
> We need most of the SSL stuff for other parts, so why not benefit from that in
> other
On 26/11/20 06:57, suchan wrote:
2020-11-21 오전 12:31에 Fernando Frediani 이(가) 쓴 글:
Yes, exactly it is only an issue when someone have to access the web
interface via wifi. In a home environment that is a small issue. In a
more corporate environment there are two options: 1) access is done
via
2020-11-21 오전 12:31에 Fernando Frediani 이(가) 쓴 글:
Yes, exactly it is only an issue when someone have to access the web
interface via wifi. In a home environment that is a small issue. In a
more corporate environment there are two options: 1) access is done
via wired network or 2) enable HTTPS,
> I think that if the first setup is done with only the router and the trusted
> PC connected to it through an ethernet cable (wifi is disabled by default),
> there is physically nothing else on that "network" so whatever you see can
> be accepted even if you don't have "dual authentication" with
@lists.openwrt.org
Subject: Re: 20.xx: postponse LuCI HTTPS per default
On 20/11/20 17:17, Fernando Frediani wrote:
Hi Alberto
On 20/11/2020 13:09, Alberto Bursi wrote:
The only thing I can accept as a valid complaint against https by
default is the increased minimum space requirements, everything
On 20/11/20 19:22, W. Michael Petullo wrote:
I think making use of self-signed certificates in production is a bad
idea because (1) it reinforces poor practices, namely electing to trust
a self-signed certificate and (2) it does not authenticate the
server/router, a critical piece of the TLS
On 20/11/20 18:35, Adrian Schmutzler wrote:
Hi,
-Original Message-
From: openwrt-devel [mailto:openwrt-devel-boun...@lists.openwrt.org]
On Behalf Of Alberto Bursi
Sent: Freitag, 20. November 2020 17:32
To: openwrt-devel@lists.openwrt.org
Subject: Re: 20.xx: postponse LuCI HTTPS per
-devel@lists.openwrt.org
> > Subject: Re: 20.xx: postponse LuCI HTTPS per default
> >
> >
> >
> > On 20/11/20 17:17, Fernando Frediani wrote:
> > > Hi Alberto
> > >
> > > On 20/11/2020 13:09, Alberto Bursi wrote:
> > >&g
I think making use of self-signed certificates in production is a bad
idea because (1) it reinforces poor practices, namely electing to trust
a self-signed certificate and (2) it does not authenticate the
server/router, a critical piece of the TLS security model.
>>> maybe,
On 20/11/20 17:47, W. Michael Petullo wrote:
I think making use of self-signed certificates in production is a bad
idea because (1) it reinforces poor practices, namely electing to trust
a self-signed certificate and (2) it does not authenticate the
server/router, a critical piece of the TLS
Hi,
> -Original Message-
> From: openwrt-devel [mailto:openwrt-devel-boun...@lists.openwrt.org]
> On Behalf Of Alberto Bursi
> Sent: Freitag, 20. November 2020 17:32
> To: openwrt-devel@lists.openwrt.org
> Subject: Re: 20.xx: postponse LuCI HTTPS per default
>
>
Hi,
I guess we could simply ask the user by default (with options to auto
generate a certificate or ignore https). Luci already warns that a
root password must be set.
Why not also add something like: "Upgrade to a secure connection?".
"No password Set!
There is no ...
...
"
On 20/11/20 17:39, Fernando Frediani wrote:
Hi. I don't really see having HTTPS by default as something that make
such a difference for most common users nor as a major security issue in
the context it is used at the cost it puts, which may seems not too much
but I always think of the very
>> I think making use of self-signed certificates in production is a bad
>> idea because (1) it reinforces poor practices, namely electing to trust
>> a self-signed certificate and (2) it does not authenticate the
>> server/router, a critical piece of the TLS security model.
> maybe, but it's
Hi. I don't really see having HTTPS by default as something that make
such a difference for most common users nor as a major security issue in
the context it is used at the cost it puts, which may seems not too much
but I always think of the very minimal for a default image and HTTPS
isn't
On 20/11/20 17:17, Fernando Frediani wrote:
Hi Alberto
On 20/11/2020 13:09, Alberto Bursi wrote:
The only thing I can accept as a valid complaint against https by
default is the increased minimum space requirements, everything else I
really don't understand nor agree with.
It's
Hi Alberto
On 20/11/2020 13:09, Alberto Bursi wrote:
The only thing I can accept as a valid complaint against https by
default is the increased minimum space requirements, everything else I
really don't understand nor agree with.
It's exactly this I am referring to when I talk about the
On 20/11/20 16:52, W. Michael Petullo wrote:
I think making use of self-signed certificates in production is a bad
idea because (1) it reinforces poor practices, namely electing to trust
a self-signed certificate and (2) it does not authenticate the
server/router, a critical piece of the TLS
On 20/11/20 16:31, Fernando Frediani wrote:
Yes, exactly it is only an issue when someone have to access the web
interface via wifi. In a home environment that is a small issue.
Not sure how it is a small issue when wifi is the main method used to
connect to a router and the Internet in a
The only reason I see to have HTTPS and certificates in OpenWrt in my
view is to give some layer of security for those accessing the router
via Wifi or over the Internet for example.
And only admins, who have setup the router or work directly with it will
access it (not normal users) so they
I think making use of self-signed certificates in production is a bad
idea because (1) it reinforces poor practices, namely electing to trust
a self-signed certificate and (2) it does not authenticate the
server/router, a critical piece of the TLS security model.
My point of view is that we
Yes, exactly it is only an issue when someone have to access the web
interface via wifi. In a home environment that is a small issue. In a
more corporate environment there are two options: 1) access is done via
wired network or 2) enable HTTPS, which make more sense.
Enabling HTTPS by default
On 20/11/20 14:22, Fernando Frediani wrote:
I don't see having HTTPS by default in LuCI as something good or even
necessary ? It's actually an unnecessary complication that could always
be optional.
One of the main reasons is that in many and probably most cases of a new
deployed OpenWrt
I don't see having HTTPS by default in LuCI as something good or even
necessary ? It's actually an unnecessary complication that could always
be optional.
One of the main reasons is that in many and probably most cases of a new
deployed OpenWrt router there is still no Internet connection
Paul Spooren [2020-11-19 13:09:02]:
Hi,
> while 20.xx seems close,
I don't share your view on this one, 21.xx is close, yes :-) Just being
realistic here. So I would say, that if this issue should be tackled, there is
still some time left to do so.
> I'd like to suggest to postponse HTTPS
"Paul Spooren" writes:
> The current list of release goals for 20.xx states[0] that LuCI should
> use HTTPS per default. This works by creating on-device a self-signed
> certificate. Self-signed certificates result in warnings and may cause
> more harm than good, multiple discussion are found in
"Paul Spooren" wrote:
> Hi,
>
> The current list of release goals for 20.xx states[0] that LuCI
> should use HTTPS per default. This works by creating on-device
> a self-signed certificate. Self-signed certificates result in
> warnings and may cause more harm than good, multiple discussion
>
> From: Michael Richardson
> Subject: Re: 20.xx: postponse LuCI HTTPS per default
> Date: 2020-11-20, 7:26:44 AM EET
> To: "Paul Spooren" , openwrt-devel@lists.openwrt.org
>
>
>
> Paul Spooren wrote:
>> The current list of release goals for 20.xx sta
Paul Spooren wrote:
> The current list of release goals for 20.xx states[0] that LuCI should
> use HTTPS per default. This works by creating on-device a self-signed
> certificate. Self-signed certificates result in warnings and may cause
> more harm than good, multiple discussion
> Given that the first login via LuCI, on a fresh install, is not with a
> password anyway. What if setting the initial password sets up
> letsencrypt also. Then when letsencrypt's first successful cert install,
> https gets enabled as the default and then requests the user reboot to
> complete
Hi
On 2020-11-19, TheWerthFam wrote:
> Given that the first login via LuCI, on a fresh install, is not with a
> password anyway. What if setting the initial password sets up
> letsencrypt also. Then when letsencrypt's first successful cert install,
> https gets enabled as the default and then
Given that the first login via LuCI, on a fresh install, is not with a
password anyway. What if setting the initial password sets up
letsencrypt also. Then when letsencrypt's first successful cert install,
https gets enabled as the default and then requests the user reboot to
complete the
Hi,
The current list of release goals for 20.xx states[0] that LuCI should
use HTTPS per default. This works by creating on-device a self-signed
certificate. Self-signed certificates result in warnings and may cause
more harm than good, multiple discussion are found in the mail archive.
As no
33 matches
Mail list logo