NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Status:
Engineering Investigation
Modems/Routers : Add HTTPS when connecting to the NETGEAR Genie page
Hi NETGEAR,
I have recently configured a few different NETGEAR ADSL Modems/Routers, to be specific the D6400 and DGND3700v2, but both of these don't appear to support a HTTPS connection to the NETGEAR genie web page. As far as I can tell from browsing all the links and sub links, you don't even have a setting to enable this. The only reference to HTTPS in the User Manual is to enable HTTPS for remote connections from the Internet (Manage the Modem Router Remotely, Page 244).
Would NETGEAR look at intergrating this in the next firmware release to improve security on your device?
Thank you in advance for taking the time to respond to my question, it is most appreciated.
Regards
55 Comments
R7000P work with internal https ?
My memory is that the R7000P does https, but I have now put it back on the shelf. And it was running custom firmware for beta tests.
The R7000P apparently does not support it yet. When I use either the IP or routerlogin.net with https I get:
routerlogin.net refused to connect
Safari and Chrome have the same results.
Mr., you don't understand Badgear idea. You must pay 350+$ to get default function of Chinese OEM.
Netgear...heellloooo!
VPNfilter is a perfect example of a malware snooping the local network for passwords!
Your suggestion of update firmware and change your password SUCKS. Get it together people. Secure our networks from local password snooping your plain text data transfers by:
1. Https available
2. Changing the user name from admin
3. Change the port used ex.(https://192.168.1.1:5000)
Then basic security is achieved and this malware can NOT read our router passwords.
Come on man! Seriously.
Another vote for HTTPS.
I concur with CyberTri's list ^ as well.
Default 'admin' username seems like a terrible idea where an attacker only needs to guess password, which thanks to http, can be easily compromised/guessed via a vulnerable website or node inside the LAN.
Currently using: Netgear Nighthawk R7000 V1.0.9.6_1.2.19, while Netgear Support R7000 firmware page states latest version available is 1.0.9.42. :facepalm:
I'd like to plus-vote or resonate or whatever it takes to encourage Netgear to add an https server to their modem admin software so that admin changes on the LAN are not sent in the clear (and as such observable and changeable by other local network attackers). We can deal with self-signed certs. Here is a great explanation of why everything should be HTTPS/TLS: https://https.cio.gov/everything/
Netgear made their money on us already. I have a long standing request supported by you and many others to get https added to gui access for configs. They don't care. Even if it creates an open text vulnerability against internal malware snooping. I am switching to Asus for the AX (wifi 6) generation. I suggest you consider the same. Seems like Netgear firmware for the AX80 isn't very good anyway. Im tired of excuses. Going to Asus
CyberTri wrote:
I have a long standing request supported by you and many others to get https added to gui access for configs. They don't care. Even if it creates an open text vulnerability against internal malware snooping. .... Seems like Netgear firmware for the AX80 isn't very good anyway.
Newer Netgear routers like the Nighthawk R9000, the Nighthawk Pro Gaming (XRnnn), ... come wth https access for both LAN and Internet since thier existance, undoubted the AX will come with https, too. Unqualified rant I'd say.
I use voxel. Doesn't fix the no tls session encryption issue but it makes my r7800 run like a banshee on crack. Try it. Use SSH for remote admin if you need it and keep http admin on the wan side disabled.
