NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
GS110EMX https support
Ok...this can't actually be true - I must be missing something - but I can't find where I can enable https on the GS110EMX There's no way this switch doesn't support it - that would be.......crazy. ...
it is true for all Plus Switches deliver network monitoring, traffic prioritization, and VLAN network segmentation to small businesses. With a few exceptions from this product line-up are not built on managed cores, but on configurable unmanaged switches. Technically, the resources are not available for https, and a true management VLAN is available on the select ones built on a managed core.
Thank you, Schumaku for taking the time to reply. Unfortunately, it isn't much of an answer.
Seems as though you are trying to dance around the subject: "technically" the resources don't exist to support https? Then make the resources available in your products.
To ship a web managed device in 2022 without https is irresponsible at best. In fact, it's a joke. There is no excuse for that. Use better chips.
It is precisely this behaviour from vendors that no consumer should ever accept. Why do you accept it?
http was deprecated years ago by both Google and Mozilla - 7-8 years ago to be exact. Why on earth would Netgear offer any product (even low or med range) without https support?
When will Netgear feel it is necessary to use https in all of their products? Perhaps in another 7-8 years?
Thank you for letting me know that the entire range of Netgear Managed Plus switches should be avoided.
I will never buy another switch in that range ever again.
For now, I have mitigated the risk on my network for this product, and in the future I will be avoiding that range altogether. Netgear should be embarassed.
sstifferd wrote:
http was deprecated years ago by both Google and Mozilla - 7-8 years ago to be exact.
Is it really?
They talked of public Web pages et all! Different from all the many incomplete, https implementation and environments not ready to deploy trusted certificates, lack of full DNS deployments, issuing warning on whatever levels when accessing, accepting risk, getting red warnings - things I see on a regular base on home, small- and medium business environments state in deep red that these https devices are by far not so secure as it appears. this is neither more nor less secure than all these millions of red https embedded devices. a far to many places where such devices are deployed don't have the basic requirements in place for rolling out a PKI or make use of the fancy Let's encrypt.
As of today, http pages still show up eventless, without red warning, no security geek organization Web browser like Mozilla or Google does have a problem permitting using plain text http pages. the right thing at the right place.
Last: The market does still want inexpensive devices like the Plus series. In many places, these are perfectly sufficient. It's not black and white. When doing audits i still see much more http and insecure https devices (what does not make a difference).
And no, I'm not Netgear, as well was the above thought as the final answer.
Perhaps you misunderstood what I meant. 8 years ago it was widely accepted that http was a bad idea, and that all websites should be encypted. This is a basic need, not a nice to have. Many people demanded it. Google and Mozilla came to the forefront, and tried to influence the adoption of https 8 years ago. I mentioned nothing about the success of their implementation. Only that it was widely known that http was an issue nearly a decade ago.
And here we are, 8 years later with a Netgear product that uses http. And someone who is accepting of it!
https is very cheap to implement, and there are zero excuses for this.
As for audits: I work in the financial sector and I understand them very, very well. This would be a giant red flag - they may even demand that we pull the switch. Granted, this device wouldn't ever be used in a bank.
But the fact you're mentioning audits is...absurd. Any audit would flag this. And any company concerned about security would not buy a new switch that had http only. Why should I?
I'm also not sure what you mean specifically about "insecure https" devices. Do you mean the little red flag on a web browser when connecting to a switch or device that has https?
You do know that the traffic is still encrypted, right? It's just that there isn't a chain of trust for the embedded certificate that resides on the device. But the traffic is still encrypted and protected. Encryption is a basic need in 2022. It should not be available only for the wealthy, and the top tier devices. It should be a basic technical right.
You should be demanding it!
If you're ok with it, that is your choice. But don't attempt to excuse it, because it is inexcusable. You can still make a cheap switch that has https.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
