On Wed, Aug 30, 2017 at 9:32 PM, danarauz(a)gmail.com <danarauz(a)gmail.com>
wrote:
The question sent today to the Signal group instead of
this list:
Question: *Is there a reason why the PON node's web GUI login is done in
plain text and not via https?*
*I just noticed that.*
*Answers I got so far:*
Person 1 answer: *"Nodes have private IP addresses and you cannot issue
trusted SSL certificates for them."*
Person 2 answer:
*"Because self-signed certificates generate nasty warnings that are not
user friendly. Can we please use the mailing list for things that don't
require immediate responses?"*
My follow up:
Thank you for your replies.
But definitely I would prefer the "nasty warnings" from self assigned
certs than sending the password in plain text, imo.
It would be nice to have the option to use https and we should do something
(e.g. salt and hash the password) before sending it rather than sending it
unencrypted, but keep in mind that this is happening on the private wifi so
there is encryption though of course if you have shared the wifi password
with others then they could still sniff the admin password. Also keep in
mind that the admin password only allows you to change a few things:
changing how much bandwidth is shared and changing the password. There will
be a few other options added like changing wifi channels to use, but there
shouldn't be any privacy dangers if someone gets this password.
It's definitely possible for us to generate a self-signed certificate but
there are no good random sources on the routers (generating a good
certificate requires random data) so unfortunately we would have to accept
low security certificates or we would have to generate the certificates on
our servers which means that we would also have access. Since we already
have root access by default perhaps this is not really a problem. However,
the nasty warnings are really not user friendly at all, so maybe just
adding the salt+hash will be enough? This would still allow a
man-in-the-middle attack but that is a bit harder to do and at least they
won't know the password (in case that password was re-used for other
accounts).
I don't really think it's a big deal if people gain unauthorized access to
the web admin interface as long as we ensure that you can't access or
change any private information.
What do other folks think?
(btw, now i'm wondering if using low level wifi information as random seeds
could improve security for on-router-generated certificates, e.g. least
significant bits of wifi scan result timing)
--
marc/juul