Comment by lxgr

Comment by lxgr a year ago

3 replies

My point is precisely that current browsers and OSes make it impossible to ship a secure-by-default device running a local web server, NAS or otherwise.

Requiring users to install a globally trusted CA is a disaster from a security point of view (now my NAS vendor or anyone that hacks them can pose as google.com!), and for this reason doesn’t even work with modern Android apps anymore, for example.

Dylan16807 a year ago

Offering a layperson NAS buyer a self-signed cert is not "secure by default" even if browsers did accept it.

  • lxgr a year ago

    Would it be less secure than unencrypted HTTP?

    • Dylan16807 a year ago

      No.

      But if you want "secure by default" then neither one is acceptable.