It would be nice to have the option to use https and we should do something (e.g. salt and hash the password) before sending it rather than sending it unencrypted, but keep in mind that this is happening on the private wifi so there is encryption though of course if you have shared the wifi password with others then they could still sniff the admin password. Also keep in mind that the admin password only allows you to change a few things: changing how much bandwidth is shared and changing the password. There will be a few other options added like changing wifi channels to use, but there shouldn't be any privacy dangers if someone gets this password.

It's definitely possible for us to generate a self-signed certificate but there are no good random sources on the routers (generating a good certificate requires random data) so unfortunately we would have to accept low security certificates or we would have to generate the certificates on our servers which means that we would also have access. Since we already have root access by default perhaps this is not really a problem. However, the nasty warnings are really not user friendly at all, so maybe just adding the salt+hash will be enough? This would still allow a man-in-the-middle attack but that is a bit harder to do and at least they won't know the password (in case that password was re-used for other accounts).

I don't really think it's a big deal if people gain unauthorized access to the web admin interface as long as we ensure that you can't access or change any private information.

What do other folks think?

(btw, now i'm wondering if using low level wifi information as random seeds could improve security for on-router-generated certificates, e.g. least significant bits of wifi scan result timing)

 
--

marc/juul