[djrogers]

> What's the historical reason we aren't all using TLS to connect to our APs?

Because it’s insanely impractical for home use? Hey, here’s your new WiFi router. Just install this new root CA on all your devices, create a device cert for each machine and install that very as well, and don’t forget you need to re-do this every year...

[throw5427]

Trust keys on first use. Like SSH.

https://www.tedunangst.com/flak/post/moving-to-https

"So how does one verify that the downloaded cert is the original? The same way the CAs do. Perform a DNS lookup, make a web request, trust the result. The addition of HPKP would indicate that people find the CA model untrustworthy, solving the problem with trust on first use key continuity. Why not cut out the middle man? Protesting the CAs is admittedly pretty futile, but if I can’t do it, who can?"

[dogma1138]

The router isn’t the issue here the clients are.

[tony101]

I'm thinking of a mechanism where the router obtains a trusted cert automatically, like Plex does (https://blog.filippo.io/how-plex-is-doing-https-for-all-its-...), and then asks users to authenticate by password over TLS before allowing access to network resources.

[gruez]

that only works because there's a central registar of plex users. im not sure how this can be done ad-hoc for APs. anyone can choose any ssid, so you'll need a global registar of ssids. The system will inevitably need to charge for registrations, otherwise bad actors would squat short and memorable ssids. a preshared key is much more feasible.