Invalid certificate connection not Private

Question

CrimpOn · Answer

So true.&nbsp; There are several message threads about Netgear's SSL certificate having expired.A number of web browsers refuse (or make it difficult) to connect when the user specifies "https" instead of "http".All of us are hoping that when Netgear releases the next Orbi firmware, it will have a new certificate.Certs are typically good for three years, so the issue will not come up again until 2022 and we (sincerely) hope that Netgear keeps better track of the certificate expiration date than it did this time.

schumaku · Answer

CrimpOn&nbsp;wrote:All of us are hoping that when Netgear releases the next Orbi firmware, it will have a new certificate.Certs are typically good for three years, so the issue will not come up again until 2022 and we (sincerely) hope that Netgear keeps better track of the certificate expiration date than it did this time.Keep on dreaming my friend... If they can't manage to update the (few!) products supporting https and coming with the Netgear (Entrust CA) signed certificate - we've started reporting this late 2018/early 2019 already, and then repeatedly as your monitoring systems check the certificates in shorter intervals - they will again fail in some year where hopefully much more products should [lol] support https. Hopeless, just ridiculous.

CrimpOn · Answer

While I share the frustration (irritation and disappointment), the situation may not be as dire as that.

Unlike other browsers, the Firefox browser actually shows what prompted the "Don't go there" message:

It's pretty clear from this that the original certificate from Entrust was good for three years. My expectation is that the next certificate will probably be as long. I have never purchased an SSL certificate myself, so I do not know the particulats of what can be purchased.

Looking at the details provided by Firefox, it is apparent that Netgear purchased the certificate to cover these web sites:

DNS Name: www.routerlogin.net

DNS Name: routerlogin.net

DNS Name: www.orbilogin.com

DNS Name: orbilogin.net

DNS Name: routerlogin.com

DNS Name: orbilogin.com

DNS Name: www.routerlogin.com

DNS Name: www.orbilogin.net

So: were they incredibly careless? Yes. Should we expect another fiasco in 2022? Who knows.

schumaku · Answer

Nothing uncommon, you can let the CA sign a certificate for multiple domains/URLs - it's just a question on the price and lifetime.&nbsp;There is one point worth mentioning: All these routers make use of the very same private key - which is not really private, as it's shipped with every router, with every firmware build. This certificate makes the browser resp. the https URL look good - not that it can be considered perfectly secure. With the help of the private key, the traffic could be decrypted easily 8-)&nbsp;Remains the question why only few products come with https support. Some niche ones (e.g. the Smart Managed Plus) don't have the resources for a proper https server - but many others have everything&nbsp;required. But still, no https support. And most have no option to create a CSR or to upload an own certificate. So there is (much) more Netgear should take care of.

CrimpOn · Answer

I agree completely.&nbsp; With the wholesale shift from http to https, what was "routine" in 2016 is no longer acceptable.&nbsp; The https web code is already in the Orbi, and is the only web connection supported for Remote Access.&nbsp; My bet is that Netgear will do like everyone else and browsing to http://orbilogin.net will redirect to https://orbilogin.net automatically.

Forum Discussion

Invalid certificate connection not Private

6 Replies