Forum Discussion

Initiate

Oct 17, 2019

Solved

Why isn't ORBI Login Secure

I like the product but why is the browser login for Orbi insecure? (http://orbilogin.net/adv_index.htm). IF I change to HTPPS I get a different error. I don't use the phone app becasue I find t...

Troubleshooting

CrimpOn
Feb 14, 2020
willemdh wrote:

HTTPS is really important and should also be enabled inside the network. otherwise the password used when logging in, can easily be sniffed by bad actors..

Please add this feature asap...

Done!

It works already. The ugly thing, however, is that Netgear has totally messed up the SSL Certificate on the Orbi line, so modern browsers like Chrome will complain, "The Cert is bad. Don't go there! Oh, no. The sky is falling."

Try it for yourself: https://orbilogin.net. Just ignore the warnings and proceed to the Orbi Home Page. Works great!

https://community.netgear.com/t5/Orbi-Wi-Fi-5-AC-and-Orbi-with/Microsoft-Edge-and-now-Chrome-browsers-cannot-connect-to-router/td-p/2359675/jump-to/first-unread-message

CrimpOn

Guru - Experienced User

Oct 17, 2019

Thank you for joining "The Choir". These have been on-going issues for months now:

(Literally) since "the beginning" consumer WiFi routers have had unsecured web administration (http).
My take was that a person had to be "on the inside" to reach the router web pages,
and Remote Access is turned off by default, so the risk might have been determined to be minimal.
In the last couple of years, there has been a huge push to encrypt almost all web sites, and Netgear is slow to adapt.
Netgear does support encrypted access to the web administration, through https,
but unfortunately Netgear let their Ensure Certificate lapse in August and has not released updated firmware
with a new certificate. People are seriously annoyed when their web browsers now refuse to connect to the Orbi
because of this.
Netgear is also joining the move to cloud based management with the Orbi app.
There are many (many) devices now that can be managed only with a web app via the cloud.
The Orbi "app" is slick, but (a) incomplete, (b) buggy, and (c) requires an internet cloud connection
that many of us would rather avoid.

I think your observations are "spot on."

FURRYe38
Guru - Experienced User
Oct 17, 2019
One issue is that there are certificates that need to be on local devices that would need to be effected for HTTPS to work on any router web page. Most router mfrs don't or probably won't try to support this as this would take more resources and support and with all kinds of various devices, PCs and browsers, this could be a monumental case to solve for just accessing a routers web page with https. Something until something gets exposed with using HTTP on the LAN side of the routers web page, just hasn't been a problem up to this point. Unless you have a known trouble maker on your LAN side, it's something thats not critical. I've never seen any problems stemming from use of HTTP with a routers web page yet.
Those router MFrs that do well, thats good as well. I would be nice if we could use either mode however.
- CrimpOn
  Guru - Experienced User
  Oct 17, 2019
  I think this is the whole point of the "certificate" issue. Netgear has implemented encrypted web access on the Orbi and included a certificate that was good from August 2, 2016 to August 2, 2019. (Remote Access requires using https.) So, yes, they shipped thousands of products that all had a valid security certificate. Their failure to anticipate the certificate expiring and getting a new certificate out to the routers is what has caused so many web browsers to complain since August 2.
  - FURRYe38
    Guru - Experienced User
    Oct 17, 2019
    Agreed, thats the other thing. NG needs to update the current certificiate.