Firmware 8.3 enabled HTTP Strict Transport Security (HSTS) on https://captive-portal.peplink.com/ (the web page served by the router).
This is causing some very annoying problems for me. We have a mix of devices running FW 8.2 and 8.3. The 8.2 devices all have expired (thus invalid) TLS certificates. Once I visit captive-portal served by an 8.3 device, I can no longer open the page on any 8.2 device. HSTS makes the “invalid certificate” warning impossible to bypass.
HSTS should (in my opinion) be a default-off option for captive-portal. The threat that HSTS mitigates isn’t relevant, since man-in-the-middle attacks are unlikely to happen on a local network. And the downsides are significant. Expired certificates are likely to occur for this kind of locally-managed device. Even with auto-updating certs in FW 8.3, they will expire if the device is powered off or offline for an extended period.