NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
redstamp
Jun 04, 2016Apprentice
/dbbroker exploit
3 weeks ago I purchased a Netgear ReadyNAS and moved all my files onto it. This week I tried to turn on "ReadyNAS Replicate" under the Cloud tab in the LAN http interface. There were some user cred...
Retired_Member
Jun 08, 2016The problem with disabling HTTP admin by default is the panic created by the browser WARNING THIS IS UNSECURE CONNECTION, BEWARE, YOU MAY BE GOING TO GET DESTROYED overdone messages warning that the HTTPS certificate isn't signed properly (doesn't match fqdn, etc.).
StephenB
Jun 08, 2016Guru - Experienced User
jak0lantash wrote:
The problem with disabling HTTP admin by default is the panic created by the browser WARNING THIS IS UNSECURE CONNECTION, BEWARE, YOU MAY BE GOING TO GET DESTROYED overdone messages warning that the HTTPS certificate isn't signed properly (doesn't match fqdn, etc.).
I understand the user heart attack resulting from the panic, and that is likely why Netgear leaves it enabled.
But the truth is https (with the warning) is more secure than http (without the warning). So if you forward http through your router then you should certainly disable http admin. Businesses probably should disable it too.
It doesn't matter very much if you are a home user who doesn't enable remote web access to the NAS.
- Retired_MemberJun 08, 2016
StephenB wrote:
But the truth is https (with the warning) is more secure than http (without the warning)That's for sure! ^^
StephenB wrote:
But the truth is https (with the warning) is more secure than http (without the warning). So if you forward http through your router then you should certainly disable http admin. Businesses probably should disable it too.It doesn't matter very much if you are a home user who doesn't enable remote web access to the NAS.
I actually think the default setting is different on desktop units (HTTP) and on rackmount units (HTTPS) - OS6 of course.
- redstampJun 11, 2016Apprentice
Thanks guys - done all that and accepted warning etc and now there is an unlocked padlock permanently in the address bar when accessing administration pages - just wanted to check I'm doing it right and this is more secure / encrypted and I haven't missed an important step to get the data encrypted, like installing a certificate or such like.
FYI - I have a feeling the entire incident was caused by my 'NAT mapping' my router from Port 666 to my NAS port 21, in a vague attempt to mask my external FTP access - but perhaps someone hacked it during the week and when I returned they were sat on the link or in the middle watching for my login details...
Anyway - thanks for all the advice.
Jon
- StephenBJun 11, 2016Guru - Experienced User
redstamp wrote:
Thanks guys - done all that and accepted warning etc and now there is an unlocked padlock permanently in the address bar when accessing administration pages - just wanted to check I'm doing it right and this is more secure / encrypted and I haven't missed an important step to get the data encrypted, like installing a certificate or such like.
If you've disabled http admin access, and are using https, then the link is encrypted. The padlock (and warning) are because the NAS is using a self-signed certificate. By definition, that can't be verified with a certificate authority.
There is a new tool called letsencrypt that automates installation of a free cert from a CA, it would be great if the NAS had an option to use it. Note that the cert from letsencrypt is for a URL (a ddns name for example, not an IP address).
Related Content
NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!