Admin page keeps refreshing...time off after 6.10.5 hotfix

---

jrfinkel wrote:

I changed the url I was using to use the https protocal.  The browser warned me that I was attempting to load a secure page that had an invalild certificate, but I just went ahead and allowed it to load.

---

Good catch.  There is a setting to enable http admin access, but it is disabled on all my ReadyNAS.  So this is not something I would have found.  It'd be useful to know if others are also using http.

It is a bit unclear to me why the problem only occurs after people change the admin password though.

---

jrfinkel wrote:

I think that Netgear has to simply install a legitmate certificate and redirect all http traffic to use the https protocol.  Both of these are child's play.

 

---

On traffic redirection to https:  Netgear actually does this on older ReadyNAS, and it is starting to cause problems (because the security protocol they were built to use is being retired).  So I'd rather they not hard-wire redirection to https.  There already is a setting to disable http admin, and I'd rather it be used instead. I'm not sure if that is enabled by default or not (IMO it should be disabled by default).

Anyway, I'd rather they fix the problem by making http access to the admin page work properly, not by requiring https to get there.  If rumors here about Netgear abandoning the NAS business are correct, I want "vanilla" http access to be possible, just to make sure I can always get into the web interface down the road.

On installation of a "legitimate" cert: Installation might be simple, but it isn't possible for them to get that certificate. A Netgear certificate certifies that the NAS (more specifically, the NAS web server) is owned/administered by Netgear.  It isn't, it's owned/administered by you.  

Other than self signed, there are three cert types:

1. Domain Validated:  the owner validates that they own the site through a DNS record that is attached to the website domain.
2. Organization Validated: The owner validates that they own both the domain and an organization named in the DNS record.  (e.g., "I am Amazon, Inc and I own the domain amazon.com).
3. Extended Validation:  Like Organization Validated, but there are more steps needed to prove ownership. Likely Amazon.com is actually EV.

All three are linked to a domain name, and in this situation there is no domain being used to reach the NAS web ui.  So Netgear can't obtain a cert from a certificate authority (what you are calling "legitimate").

I guess there is one possibility here - Netgear could change the firmware so that the only way to get admin access was through ReadyCloud.com.  But that would totally disable your ability to reach the NAS admin interface if Netgear ever exits the business or shuts down ReadyCloud.  It would also require all NAS owners to allow internet access to the NAS. And if anyone was able to hack ReadyCloud they'd be able to get admin access to every ReadyNAS.  AFAIC, that is not an acceptable path.

@DrDDP2 wrote:

Really?  So the solution is to abandon the latest update and just stick with the prior release going forward? 

 

If incompatible, then it seems poor to automatically upgrade to a version that brakes the http auth process...

 

Maybe I'll just grit my teeth and perform the factory update.

 

---

You aren't talking to Netgear here, just other users. All we can find are workarounds, not real fixes.  The downgrade isn't the same as the factory default - no data is lost. 

jrfinkel has found another workaround, which is to uncheck Enable HTTP admin in system->settings->services->HTTP.