ddns-scripts: Handling of HTTP updates (without encryption)

[kbabioch]

Currently there are 52 services shipped by default that are using HTTP URLs by default (vs. 18 that use HTTPS):

grep -ril "http://" | wc -l
52
grep -ril "https://" | wc -l
18

As noted in another issue by @Ansuel this is inconsistent and potentially an issue regarding dependencies (wget / curl with SSL/TLS support and ca-certificates are needed, which makes the required flash size bigger).

However, default settings are important ("tyranny of defaults") and shipping insecure default settings is a bad idea.

My suggestion is as follows:

1.) Require SSL support for ddns-scripts.
2.) Re-evaluate all default settings and check if HTTPS endpoints are available. If so, change the URL to the HTTPS endpoint. If not, drop the service, so it's not shipped by default.

If someone still wants to use HTTP, the URL can still be set manually, but at least we would not configure it by default.

Optionally / alternatively a new (meta) package could be created (e.g. ddns-scripts-nossl) that will pull in all of the non-https services. In this case, however, a warning should be shown (at least in LUCI) that credetials are being sent over an insecure channel.

Obviously this is a change that will affect some users, so let's discuss this first.

I'm happy to work on this and provide a pull request, etc., but would like to first get an alignment and/or start a discussion.

[kbabioch]

Mostly relevant for @feckert, happy for others to join this discussion also, though.

[kbabioch]

Actually there is already some HTTP / HTTPS handling in the scripts, e.g.

packages/net/ddns-scripts/files/usr/lib/ddns/dynamic_dns_functions.sh

Line 704 in 7c9b249

if [ $use_https -eq 1 ]; then

So we should decide if this is what we want and make sure to be consistent with the definition of the services.