However, I found the following concerning given that the goal of the router is to provide security. I would expect a simple security review to avoid design issues like the one below.
Most the time for most users, there is no need to use HTTPS in local lan, as it take additional CPU resource. If someone need to use HTTPS for local admin web site, then he can setup it by himself.
Also don’t forget that when there would be default HTTPS the cert would be probably selfsigned, then the users would be complain that their browser say “aaaaaa INSECURE aaaaa DONT TRUST aaaaa”
Can you propose any solution, especially for problem no. 2?
I can imagine there could be a Let’s Encrypt client built in to obtain a trusted certificate for the HTTPS on the first run, however, which domain name should it use? What if router is not accessible from the Internet? Using wired connection from your computer directly to the router gives very small attack surface even without encryption.
Issue number 1 I don’t see as any issue at all. As a priveleged user, you can reset Wi-Fi password any time, you can read it from the config files or even directly from router memory. Password visibility in the router setup allows you, on the other hand, to make use of the QR codes for quick Wi-Fi connection (they also contain cleartext password, in case you didn’t spotted that).