NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Status:
Engineering Investigation
Modems/Routers : Add HTTPS when connecting to the NETGEAR Genie page
Hi NETGEAR,
I have recently configured a few different NETGEAR ADSL Modems/Routers, to be specific the D6400 and DGND3700v2, but both of these don't appear to support a HTTPS connection to the NETGEAR genie web page. As far as I can tell from browsing all the links and sub links, you don't even have a setting to enable this. The only reference to HTTPS in the User Manual is to enable HTTPS for remote connections from the Internet (Manage the Modem Router Remotely, Page 244).
Would NETGEAR look at intergrating this in the next firmware release to improve security on your device?
Thank you in advance for taking the time to respond to my question, it is most appreciated.
Regards
55 Comments
You can download xca and make your own
It's very simple to add a self signed cert and let users choose http or https. On the https page the browser will give a warning saying unknown certificate authority. You just proceed anyway.
Or...buy a cheap Comodo cert and keep it in the devices. Firefox, Edge, & Chrome accept Comodo certs
- It seems to me that several years of requests from informed users should be sufficient to prompt Netgear to implement HTTPS in their routers. If these arguments aren't most modern browsers simply refuse to connect to HTTP sites or they make you jump through all sorts of hoops before they will connect. It's time for NETGEAR to get into the 21st century on this and implement the feature. What will it take? An act of Congress? With security the problem that it is, it might come to that.
Just checked, and it was not added to the latest firmware V1.3.1.64_10.1.36
Delete
I use voxel. Doesn't fix the no tls session encryption issue but it makes my r7800 run like a banshee on crack. Try it. Use SSH for remote admin if you need it and keep http admin on the wan side disabled.
CyberTri wrote:
I have a long standing request supported by you and many others to get https added to gui access for configs. They don't care. Even if it creates an open text vulnerability against internal malware snooping. .... Seems like Netgear firmware for the AX80 isn't very good anyway.
Newer Netgear routers like the Nighthawk R9000, the Nighthawk Pro Gaming (XRnnn), ... come wth https access for both LAN and Internet since thier existance, undoubted the AX will come with https, too. Unqualified rant I'd say.
Netgear made their money on us already. I have a long standing request supported by you and many others to get https added to gui access for configs. They don't care. Even if it creates an open text vulnerability against internal malware snooping. I am switching to Asus for the AX (wifi 6) generation. I suggest you consider the same. Seems like Netgear firmware for the AX80 isn't very good anyway. Im tired of excuses. Going to Asus
I'd like to plus-vote or resonate or whatever it takes to encourage Netgear to add an https server to their modem admin software so that admin changes on the LAN are not sent in the clear (and as such observable and changeable by other local network attackers). We can deal with self-signed certs. Here is a great explanation of why everything should be HTTPS/TLS: https://https.cio.gov/everything/
Another vote for HTTPS.
I concur with CyberTri's list ^ as well.
Default 'admin' username seems like a terrible idea where an attacker only needs to guess password, which thanks to http, can be easily compromised/guessed via a vulnerable website or node inside the LAN.
Currently using: Netgear Nighthawk R7000 V1.0.9.6_1.2.19, while Netgear Support R7000 firmware page states latest version available is 1.0.9.42. :facepalm:
