NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Status:
Engineering Investigation
Modems/Routers : Add HTTPS when connecting to the NETGEAR Genie page
Hi NETGEAR,
I have recently configured a few different NETGEAR ADSL Modems/Routers, to be specific the D6400 and DGND3700v2, but both of these don't appear to support a HTTPS connection to the NETGEAR genie web page. As far as I can tell from browsing all the links and sub links, you don't even have a setting to enable this. The only reference to HTTPS in the User Manual is to enable HTTPS for remote connections from the Internet (Manage the Modem Router Remotely, Page 244).
Would NETGEAR look at intergrating this in the next firmware release to improve security on your device?
Thank you in advance for taking the time to respond to my question, it is most appreciated.
Regards
55 Comments
- This is a nice idea, however this wouldn't be possible to do. Plus it wouldn't really improve security on the router. This is because SSL is just making the connection between yourself and the router secure when accessing the site. You don't transfer any valuable data between yourself and the genie web page, so there is no point for SSL especially on a trusted internal network.
I disagree with WinnerPlus, this is big ignorance about router security issues
When accessing GUI management through LAN, it also should be only SSL.
A malicious page on the web, can run a script to redirect access to the router GUI. If password is saved, it can sniff it through http and send it back to a remote attacker
This is well documented over many wifi security blogs
Many third party manufactures, include Linksys, already offer option to access GUI through LAN using only SSL and disabling normal HTTP access
HTTPS for admin is a must.
Moreover, I do not understand why we cannot change at least the port to access the admin interface, even if we stay in HTTP. Ports like 80, 81 or 8080 are too obvious for attackers coming through the LAN
chopin70, Yes I agree that SSL is needed for external remote connections, however you have SSL within a secure trusted internal network I don't see the need, especially within a home router. The only time you will need SSL in my eyes, is when you have a open WiFi network, or when you have remote connection running - yet normally only people with knowledge will have this running. So it shouldn't be a concern.
Also how would a SSL certificate be applied to the mass market? You would have to have a self signed cert, but that will most likely cause lots of issues for NETGEAR. For instance, Google Chrome will recognise it's not a trusted site, due to the self signed cert and will cause an alert to popup, making sure the user want's to proceed. - Again this will cause the normal user to get worried and not visit the site, possibly causing a demand for support. Also, MITM attacks will still be able to occur.
Macecho, I believe you can already edit the port in the remote management page.
sure the the self signed certificate has limitations, but it is enough for advanced users
Having an option to enable SSL local access will comfort normal users you mention (like other brands have done)
Having a local secure wifi won't help you. Even if, like me, you disable wifi admin and only enable LAN.
The risks are very serious during your simple browsing
Just google about router management over local http vulnerabilities
Maybe this should stop here and let Netgear team decide if they like to keep their routers a step behind competition, security wise. They already do with VPN using years deprecated encryption for certificate keys
- Status changed:UnspecifiedtoEngineering Investigation
A self signed cert is fine. Make it an advanced option. Snooping malware can intercept plain text delivery of base 64 (authorization basic) user/pass communication that is unencrypted. Read the link below.
Ok Netgear! No excuses now. Krack is real and this is enough reason to enable Https once you release the patch.
Let's go, you bunch of motheryards!
ENABLE HTTPS administration on all admin interfaces and allow for varying ports. LET'S GO NETGEARRRRRRRRRRRR!
So it's truely unbeliveable that the management interface for all routers does not default to https! Also, why do I need the SSID and password scrolling across my screen? The developers of thse interfaces need a healthy dose of security training.
To be clear, SSL should now be referred to as TLS. All versions of SSL (1.0, 2.0 & 3.0) are vulnerable to attack. TLS 1.0 should also be deprecated. TLS 1.1, 1.2 and soon 1.3 should be the supported standard.
TLS encrypts the traffic between the client end point and the web interface of the router. The main reason this is important is to prevent unauthorized users on the wired side from sniffing network traffic and gathering login credentials for the router. Without TLS, this data is sent unencrypted and can easily be gathered from Wireshark captures.
Wireless data transfer is a different story. All routers shoudl be using WPA2 and nothing else. Yes, there are attacks against it, but it is highly unlikely that you will fall victim to that in your home. If you were to get compromised, having your router use TLS means that traffic would be encrypted in transit via TLS and not visible anyway!
Wireless traffic send using WPA2 encryption is unreadable in transit unless you are able to break the key pair. This is not trivial.
In addition to https on the router admin interface, we should be screaming for router vendors and device manufacturers to fully support 802.11w - Secured Management Frames. By fully supporting this standard and turning on those features, one would significnatly reduce the likelyhood that soemone could force a client to deauth and connect to a rogue access point broadcasting a known SSID.
In any case, if Netgear can't get the simple stuff right, how much can you trust that they got the rest right? They should take a lesson from DD-WRT!
