Regarding https/SSL connection to Openwrt

I was doing some wireshark exercises today trying to see if I could sniff my own credentials to Openwrt.

Openwrt shows a certificate installed - Is this just a self signed cert installed by default?

When viewing my .pcap, it does appear the login traffic was encrypted. Is this 'pseudo' encrypted since the cert isn't secure? Correct me if i'm wrong.

I can see my creds in plain within the browser console - as expected. Is login stored as an http only cookie? Can this be set? :slight_smile:

Is purchasing a cheap domain for TLS cert encryption overkill for a basic home network, perhaps a management VLAN would be less tin-foil?

Thanks

Self-signed isn't the same as not secure. The traffic is just as well encrypted as it would be with an equivalent signed certificate. Signing in this respect isn't about the level of encryption, but about how much you can trust the certificate relates to what it says it does. Obviously in a network you control and know where the self signed cert has come from that's generally not an issue.

1 Like

Makes sense. I decided to do port forwarding over SSH, disabling uhttp.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.