NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Status:
Engineering Investigation
Modems/Routers : Add HTTPS when connecting to the NETGEAR Genie page
Hi NETGEAR,
I have recently configured a few different NETGEAR ADSL Modems/Routers, to be specific the D6400 and DGND3700v2, but both of these don't appear to support a HTTPS connection to the NETGEAR genie web page. As far as I can tell from browsing all the links and sub links, you don't even have a setting to enable this. The only reference to HTTPS in the User Manual is to enable HTTPS for remote connections from the Internet (Manage the Modem Router Remotely, Page 244).
Would NETGEAR look at intergrating this in the next firmware release to improve security on your device?
Thank you in advance for taking the time to respond to my question, it is most appreciated.
Regards
55 Comments
AlphaBravo88wrote:Hi NETGEAR,
I have recently configured a few different NETGEAR ADSL Modems/Routers, to be specific the D6400 and DGND3700v2, but both of these don't appear to support a HTTPS connection to the NETGEAR genie web page. As far as I can tell from browsing all the links and sub links, you don't even have a setting to enable this. The only reference to HTTPS in the User Manual is to enable HTTPS for remote connections from the Internet (Manage the Modem Router Remotely, Page 244).
Would NETGEAR look at intergrating this in the next firmware release to improve security on your device?
Thank you in advance for taking the time to respond to my question, it is most appreciated.
Regards
I made all the comments about how any malware can snoop on plaintext traffic in a network and grab the password. 3 things should always be an option for routers. They don't seem reasonable.
1. Https available
2. Changing the user name from admin
3. Change the port used ex.(https://192.168.1.1:5000)
Then basic security is achieved.
Kind of responding to this and several other very similar threads on this forum I came across covering many netgear routers.
No router software newer than lets say... 2010?.. just to pick a number, should even have plaintext anything as an option for communicating with a router's admin interface / OS, period. This is _basic_ security. Anything made within the last several years should support HTTPS using TLS 1.1-1.3 (no SSL) for admin interfaces.
Saying the local network is secure by calling it "internal" or "inside" or whatever word you want to use as if it is some magic wand that solves all security problems, is simply ignorant and in the case of a developer working on router firmware saying it, irresonsible, even negligent. WPA2 is quite crackable these days, and it has never been sure-fire. Wireless networks are fundamentally insecure by their very nature. There is _no_ excuse whatsoever for current router firmwares not having at least the _option_ of turning on https (and optionally ssh) for management and disabling http/telnet/plaintextwhatever.
And given that it is trivial to implement given the toolsets/packages/etc. available today, I'm really not sure what is preventing Netgear from keeping up with basically every one of their competetors on this point? Its very perplexing as a consumer to spend a few hundred dollars on a crazy gaming router (R9000 in my case) only to find that it doesn't even have industry standard basic minimum security features... in 2018.
Seriously, what is the actual deal?
- I used to think Netgear products are good, but my expectations from Netgear dropped. I know they have a customer service that is willing to listen and work with me, but when the problems are not solved and devices donot work as advertised, my money is better spent somewhere else. I am glad I bought mine at Costco and so I can take it back in a month if Netgear does not resolve the https issue on admin login.
- I paid $500+ for Orbi and I get an unsecure product? Even my Netgear EX3700 which is just a wifi range extender has https connection. Netgear you need to step up your act here.
Any confirmation on whether any older models will get the https interface?
New Netgear devices are moving to https.
The browser/genie interface is local, not some website out in the internet. It takes some effort to attack your router from the outside world.
Remote access does use https.
It's not ok no matter what anyone says. Malware can scan your network and play man-in-the-middle to steal passwords sent in open text to your .1 router.
The easy fix to this is make the default login http, and give an option (that notifies about browser cert wanrings that you can ignore) in the advanced menu, for people that understand what they are doing.Bitdefender is saying any router without https authentication is a high security risk.
I just scanned my network with bitdefender home scanner to see if any of the myriad of devices I have in my smart home is a security risk.
To my suprise everything is good except my Nighthawk c7000 cable modem router. Bitdefender says it is a high risk becauses it uses http
instead of https for authentication. Bitdefender tells me I need to upgrade my router firmware. (This is not an option on the combo product, as only the ISP can
push through firmware upgrades.)
Reading this thread, is it safe to assume that Netgear still doesnt use https for authentication?
I have problem with my !RN426! for 3 months, and at end of support !L3! says me !We Test Your Defect on !RN526! and all works good!
I think what httpS will never be added...
Any update on this? I would think this would be a high priority update?
Thanks!
BTW, using Netgear Router R8500
