Strange, I found the Unifi Controller web UI to be really poorly architected.
1) You start a .app that sits for a few seconds then requires you to launch the browser by clicking a button. While using the browser, you can't close the extra window for the controller.
2) On the browser, you go to a localhost website that has an invalid TLS certificate (you can a "Not Secure" warning) and have to click through to the unsafe website (and it's still like that in my current Unifi version).
3) The login page doesn't let you use the Chrome password manager, so you have to type it all in each time to access a local program.
4) In the web UI, the icons are not intuitive, and some combination of circles and rounded rectangles.
5) The new UI makes it seem like you can configure things that can't actually be configured outside your router.
6) Speaking of your router, Ubiquity's own EdgeRouter routers aren't supported in the Controller UI. They require a completely different interface.
I'm not sure it's fair to fault the Unifi software for using a self-signed SSL certificate. I think the only theoretical security risk here would be that Ubiquiti could decrypt the traffic between you and your Unifi controller, if they could somehow obtain it. (Someone please correct me if I'm wrong.)
Ultimately, if you don't trust the certificate it comes with, it's not too difficult to replace it with one of your own (in fact, the page you linked explains how).
I haven't had the password manager issue you describe. KeepassXC in Chrome and Firefox both fill out my credentials successfully on the login page. I totally agree about the UX of the web application though. It feels like over time, options have become more and more hidden and the icons more cryptic.
- Without a valid SSL certificate, there's no way to tell whether you're actually visiting your UniFi controller or a honeypot. Ubiquiti isn't the risk here.
- UniFi features that depend on WebSocket and WebRTC are unavailable when using self-signed certificates. This includes live stats updating, device terminal, airView, etc. (Those features can be used in the cloud UI... if your Internet connection happens to be working fine.)
- Valid SSL certificates would be easy to auto-provision these days with LetsEncrypt. There are some minor challenges around port forwarding / relay, but that isn't rocket science. If Plex can figure it out, Ubiquiti can figure it out :)
Enabling non self-signed TLS certificate on IoT devices looks like easy task but actually it has difficulty. Especially router is hard because it bootstrap WAN connection.
You can reverse-proxy the traffic into the Ubiquity app, and have your RP terminating the TLS connection. This is what I do and I get a correct HTTPS connection to the web site.
Well, sorry for that. I will have to google "reverse proxy" a little bit more. And thank the god of your choice for having that setup miraculously working at home on my server.
What to say - maybe before assuming that someone "don't really know how any of this works" you may, just a second, think that the person your comment is directed to has written a security reverse proxy and presented on that on one of the largest security conferences.
Or not, maybe that I really do not know how terminating traffic on MY reverse proxy and sending it upstream to MY ubnt controller works. Who knows.
In that case, you'd understand the difficulties of providing a product or piece of software out of the box with valid certificates without user setup, as you've done (without running all user data through offsite servers).
I too have a working reverse proxy setup or few. I certainly don't expect something using a "localhost site" to come with valid certificates. Unless they somehow get a valid cert for https://localhost
Edit: apologies for the assumption, I didn't realise that you weren't the guy I originally replied to. I'm new around here.
But you can replace the certificate if you want to. But many users won't have a static IP address they can use to point to their controller, and many don't even own a domain, which means the self-signed certificate is the only option.
1) You start a .app that sits for a few seconds then requires you to launch the browser by clicking a button. While using the browser, you can't close the extra window for the controller.
2) On the browser, you go to a localhost website that has an invalid TLS certificate (you can a "Not Secure" warning) and have to click through to the unsafe website (and it's still like that in my current Unifi version).
3) The login page doesn't let you use the Chrome password manager, so you have to type it all in each time to access a local program.
4) In the web UI, the icons are not intuitive, and some combination of circles and rounded rectangles.
5) The new UI makes it seem like you can configure things that can't actually be configured outside your router.
6) Speaking of your router, Ubiquity's own EdgeRouter routers aren't supported in the Controller UI. They require a completely different interface.
In case anyone thinks the problem with the certificate is something to do with my own setup, it's not. It's a universal problem [https://help.ui.com/hc/en-us/articles/212500127-UniFi-SSL-Ce...]