NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
RBR50 - insecure login
When logging into my Orbi RBR50 via the Orbilogin.com site it defaults to using an insecure login connection (http://orbilogin.com). Considering this could put the login name and password at risk is...
This is correct. http is "not secure", which is why Orbi will never respond to an http connection from the internet. If "Remote Management" is activated in the Advanced Setup menu, it opens port 8443 to the internet and waits for an SSL connection attempt. Residential routers have used http for as long as I can remember, the theory being that someone has to break the WiFi encryption to get inside the network.
If you are concerned that someone can get inside the Orbi LAN and eavesdrop on conversations, then Orbi will respond to https connections from the LAN side. ( https://orbilogin.net) However, there is a problem with this approach as well. Last August, Netgear either (a) neglected, or (b) decided not, or (c) were not allowed to renew the SSL certificates for a bunch of URL's, including routerlogin.net, routerlogin.com, orbilogin.com, and orbilogin.net. With the current firmware release, Netgear has included a "self-signed" security certificate in the Orbi. Modern browsers complain about this. (STOP - GO BACK - POTENTIAL RISK - The Sky is Falling). Buried in the small print is a link to "Go ahead to the site anyway." If you choose this, then the browser takes you to the Orbi router web interface in an encrypted session.
I have read comments that "these days" it makes no sense for 1,000's of devices spread all around the world to claim that their SSL certificate for something like "routerlogin.net" is valid. The issue is far more complicated than one might think.
So, (a) you are correct, and (b) there is an (ugly) workaround.
This is correct. http is "not secure", which is why Orbi will never respond to an http connection from the internet. If "Remote Management" is activated in the Advanced Setup menu, it opens port 8443 to the internet and waits for an SSL connection attempt. Residential routers have used http for as long as I can remember, the theory being that someone has to break the WiFi encryption to get inside the network.
If you are concerned that someone can get inside the Orbi LAN and eavesdrop on conversations, then Orbi will respond to https connections from the LAN side. ( https://orbilogin.net) However, there is a problem with this approach as well. Last August, Netgear either (a) neglected, or (b) decided not, or (c) were not allowed to renew the SSL certificates for a bunch of URL's, including routerlogin.net, routerlogin.com, orbilogin.com, and orbilogin.net. With the current firmware release, Netgear has included a "self-signed" security certificate in the Orbi. Modern browsers complain about this. (STOP - GO BACK - POTENTIAL RISK - The Sky is Falling). Buried in the small print is a link to "Go ahead to the site anyway." If you choose this, then the browser takes you to the Orbi router web interface in an encrypted session.
I have read comments that "these days" it makes no sense for 1,000's of devices spread all around the world to claim that their SSL certificate for something like "routerlogin.net" is valid. The issue is far more complicated than one might think.
So, (a) you are correct, and (b) there is an (ugly) workaround.
Thanks for the feedback. It doesn't surprise me that the "LAN vs. WAN side logins" might be part of the reasoning behind this but it's disappointing. That argument might have been plausible 8-10 years ago but NetGear should know that logic doesn't float in today's world (with compromised Wifi standards and sophisticated phishing/malware.) In full disclosure, I'm an Infosec professional and have other workarounds to secure my login but have been waiting to see if they would implement HTTPS in a firmware upgrade. Having just upgraded today to 2.5.1.8 and still not seeing it fixed I figured I would go ahead and ask. Good to see others like you have noticed it as well. Guess I'll go submit a formal enhancement request and see if that does any good.
Remember, you are asking Netgear to disable http. https already exists.
True. Thanks for the clarification (although I will also ask that a more reputable cert be used so as to not confuse users who get the ugly browser warnings.)