the administrative web interface should be https
Although the administrative interface is not reachable from the internet, it would be good for it to be https, as otherwise the root password is exposed over the wire.
The problem with this is that the 'right' way to do it is to generate the cert at first boot, periodically, and every time the main name of the router changes - and regardless of how this is done web browsers generate scary messages on self-signed certs.
Updated by Jim Gettys over 2 years ago
Or we buy a cert up front for cerowrt (gw.home.lan) and throw it away after the password is set. All we care about here is that the password changing be done on an encrypted channel.