NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
HTTPS access to the web interface.
Do the RBR50 and RBS50 accept HTTPS and HTTP connections from my devices on my LAN? Chrome is warning me that the CA root certificate issued to www.routerlogin.net is invalid. "This CA Root cert...
alokeprasad wrote:OK to accept a cert with uncertain chain of authenticity?
How do we know that the cert wasn't compromised and would allow a man-in-the-middle attack?
The typical question of people which have not much idea what is required to have no questions asked just showing a "lock" in the browser, just citing some wonderful warnings ...
It's the standard problem when using self-signed certificates. Blunt theory, before accepting the exception you must compare the certificate signature with the one shown. if it's the same, a MITM is unlikely. and of course, as it's a self-signed certificate, there can't be a chain to a root trusted by all your browser makers...
Have your own DNS, your own domain (these two would allow letting a public CA singing your certificate), in case of a local domain your own PKI (certificate authority) with all the infrastructure required to operate a CRL and OCSP and having this integrated with all your browsers and mobile devices? Then you could request Netgear adding a feature to run a CSR to be signed by your CA.
alokeprasad wrote:NG should distribute valid certificate with the firmware...
Well, two possible answers.
- Netgear did ... they had a nicely signed certificate in place, the "lock" came up when using e.g. https.//orbilogin.com/ ... needless to say this required including the (same) private key, and it broke the CA legal requirements.
- What would you suggest?
Where should be this intruder in a home network where all clients connect to the Orbi system wireless resp. more or less direct wired network connections?
Sure, self signed certs are a problem for external web sites and less so for sites (like the router interface) on this side of the NAT.
But there can be malaware like trojans that can get on the LAN change the DNS entries or other aspects of the router settings.
If NG's self signed certs are leaked, the certs cannot be revoked by the usual signing authorities.
Could't NG provide valid (signed by CA authorities) through firmware updates?
Paranoia inside?
schumaku wrote:Paranoia inside?
Some paranoia is good. Leads to asking questions and better undertanding of what to watch out for.
"Just because you're paranoid doesn't mean they aren't after you." - Joseph Heller
alokeprasad wrote:
schumaku wrote:Paranoia inside?
Some paranoia is good. Leads to asking questions and better undertanding of what to watch out for.
I would suggest to review the proposed idea from the NTGR KB then...
BTW, for those who want to add the NG cert to their browser, the instructions are at
Paranoia inside?
alokeprasad wrote:Sure, self signed certs are a problem for external web sites and less so for sites (like the router interface) on this side of the NAT.
Well, the web browser makers did everything to make such situations visible.
alokeprasad wrote:But there can be malaware like trojans that can get on the LAN change the DNS entries or other aspects of the router settings.
If they are on your router and on your home network - you are lost anyway.
alokeprasad wrote:If NG's self signed certs are leaked, the certs cannot be revoked by the usual signing authorities.
If they are supplying the (same?) signed certificate, the leak happens along with making that firmware available for download.
alokeprasad wrote:Could't NG provide valid (signed by CA authorities) through firmware updates?
As I've told you before - Netgear did this before.
Do you expect an individual certificate signed by a CA for each router installation? This would be the answer - but ways to expensive.
schumaku wrote:
alokeprasad wrote:If NG's self signed certs are leaked, the certs cannot be revoked by the usual signing authorities.
If they are supplying the (same?) signed certificate, the leak happens along with making that firmware available for download.
If the private key to a cert signed by proper authorities, and distributed by NG, is found to be leaked, then the signing authorities could revoke it and the OS or browsers could add it to the blacklist.
alokeprasad wrote:Could't NG provide valid (signed by CA authorities) through firmware updates?
As I've told you before - Netgear did this before.
Why did they stop? Seems like a good idea to continue.
Do you expect an individual certificate signed by a CA for each router installation? This would be the answer - but ways to expensive.
Just what they used to do.
As you probably surmised, I'm not a security expert by any means. Just trying to be aware of things that could go wrong and if there's anything a user could reasnably be expected to do about it.
alokeprasad wrote:Sure, self signed certs are a problem for external web sites and less so for sites (like the router interface) on this side of the NAT.
But there can be malaware like trojans that can get on the LAN change the DNS entries or other aspects of the router settings.
Would like to see more explanation of this question. Would the trojan be manipulating the Orbi DNS tables? DNS tables on individual computers?
Can someone answer this: what happens if one of these names below is entered when the Orbi is in Access Point (AP) mode? (mine cannot be put into AP mode, so I cannot test).
www.routerlogin.net
routerlogin.net
www.orbilogin.com
orbilogin.net
routerlogin.com
orbilogin.com
www.routerlogin.com
www.orbilogin.netIt appears to me that resolution of these URL's is somehow "special" (in the sense that it definitely does NOT go through any normal DNS process. This is why entering any of them when not connected to the Orbi LAN results in "not found".
