While I agree that adding HTTPS provides no additional security over HTTP if the web UI has no password I don’t think you can compare this to SSH with a default user/password.
There is an order of magnitude more risk in having SSH access open with a default user/password than there is a web interface open with no username/password (or indeed with a default username/password). SSH access (particularly if that also gives root access) can be used to do a lot of damage to the system, install software, rootkits, and many other things, etc.
The (first run) web interface on the other hand is a wall gardened set of functionality and therefor a lower risk and that is what security is all about. It is impossible to have a totally secure system. Security is always a matter of managing the risks so I think it is absolutely right that as a step to making the whole system more secure, knocking off the an easy win, high risk item is a positive move.
I just want to voice my support for disabling SSH access by default, given that the default username and password is fixed and publicly knowledge.
Reading through this thread it seems like those who object to this are clearly advanced users, who know and understand the implications of having an SSH server running, whether the port is exposed on only the local network or more widely, etc.
But I think it’s really crucial to also consider the larger group of people, who are probably under-represented on this forum, who don’t know anything about SSH or networking. For those people, this is absolutely the most sensible and safe default.
Sure, most people will install the device on the local network, inaccessible to outside connections, but that isn’t a perfect security blanket. Even if everybody on the network is trusted (and that’s not going to be the case for all users), another compromised device on the network could provide a way in.
Even as an advanced user, who does understand SSH and networking, I’d not be happy having an SSH server running on my local network with a default username and password. It just seems like an unnecessary risk.