airikka

I agree that it's always about finding a balance between security and usability. In this case, by using local admin password to claim a server, it is clearly not in balance. I don't agree that it would add that much of friction though. We need to remember that the target group is expected to know how to image a USB flash device with an ISO. To scan a QR code, or something similar, isn't that hard. It is another step in the installation process. But having the possibility to end to end sign and encrypt data might even make it easier to implement future features where integrity and/or confidentiality is needed.

The problem is not that someone else might claim the server. The problem is that someone could fake (or MITM) the deck site, which is on the internet, and that way steal the admin password. Furthermore, after the claim is done, the communication (configuration and such) between the server and deck should be end to end verified. You don't know where TLS is terminated in the cloud services. A suggestion would be to include, in the iso file, a pub key for signed communication from the deck to the server. And at install time, generate a key-pair on the server and provide the pub key as a QR code. Using deck on a mobile device, scan the QR code and now the deck has the server's pub key. Now both server and deck can sign communication both ways. Also if shared secrets needs to be communicated, then these can be encrypted.

When claiming a server, the server admin password is used on deck.hexos.com This is quite bad design from a security perspective. An ed25519 pub key would be much better to use.