NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
Why isn't ORBI Login Secure
I like the product but why is the browser login for Orbi insecure? (http://orbilogin.net/adv_index.htm). IF I change to HTPPS I get a different error. I don't use the phone app becasue I find t...
willemdh wrote:
HTTPS is really important and should also be enabled inside the network. otherwise the password used when logging in, can easily be sniffed by bad actors..
Please add this feature asap...
Done!
It works already. The ugly thing, however, is that Netgear has totally messed up the SSL Certificate on the Orbi line, so modern browsers like Chrome will complain, "The Cert is bad. Don't go there! Oh, no. The sky is falling."
Try it for yourself: https://orbilogin.net. Just ignore the warnings and proceed to the Orbi Home Page. Works great!
FURRYe38 wrote:Its the local LAN side thats doesn't offier https that users are asking about:
Au contrair, mon ami. The LAN side DOES support https. Just type it in (https://<ip of orbi>). And, when the web browser says, "WARNING - INSECURE - GO BACK, GO BACK", click on the "Advanced" option (or similar) and go to the web page anyway.
This "give us https" thing has been rattling around for years. It is a long running theme in the "ideas" section.
Idea Exchange For Home - NETGEAR Communities
for example, plenty of them here:
Search - NETGEAR Communities – https
As FURRYe38 says, "http" access does seem to be an "industry standard". And it isn't limited to routers. NAS boxes can play the same game.
Out of interest, has anyone ever reported a security incident on their local network that they can put down to this "hole"?
I have yet to see any incidences with LAN side problem with a routers web page using HTTP. If anyone was going to cause a problem here, it would have to be from the LAN side. Some nefarious child with a laptop could possibly find a problem and exploit it. :smileywink:
Thanks. That's what I thought.
"Paranoia runs deep."
No prize for anyone old enough to know where that comes from.
I am not sure you would know as somebody who is able to intercept the cleartext traffic and read the admin credentials has all the tools they need on the router to cover their tracks. Good luck finding any trace of unauthorised access. Not securing an administration interface with even the most basic form of encryption as we approach the end of 2020 is simply ignorant and / or negligent.
Assuming your network is compromised is the default position taken by any security professional for the last 10 years, so I can only asume that Netgear do not employ any security staff.
It appears that short of replacing their Orbi system (and being very careful* to learn how the replacement system is secured), people have two choices:
- Use the insecure http web interface, with the convenience of being able to address it as http://orbilogin.net, or
- Use the secure https web interface, which requires them to address it as https://<ip of orbi>, and ignore the warning about the invalid SSL certificate.
With the first method, managing the Orbi router with a wired computer would shield the plain text login from anyone who has broken the Orbi WiFi security and is snooping on WiFi traffic to capture packets. And, if a WiFi connected computer is being used to manage the Orbi, then the attacker still has the task of breaking the WPA2 security.
* It would be useful to have a list of the WiFi routers which are "secure" for comparison. As a test, I looked up the user manual for the Asus ZenWiFi CT-8, one of the very newest WiFi6 products. Page 13 of the user manual indicates how to access the router web interface:
https://dlcdnets.asus.com/pub/ASUS/wireless/ZenWiFi_CT8/E16735_ZenWiFi_CT8_UM.pdf
And, yes, the instructions are: http://router.asus.com. NOT SECURE.
