NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Status:
Engineering Investigation
Modems/Routers : Add HTTPS when connecting to the NETGEAR Genie page
Hi NETGEAR,
I have recently configured a few different NETGEAR ADSL Modems/Routers, to be specific the D6400 and DGND3700v2, but both of these don't appear to support a HTTPS connection to the NETGEAR genie web page. As far as I can tell from browsing all the links and sub links, you don't even have a setting to enable this. The only reference to HTTPS in the User Manual is to enable HTTPS for remote connections from the Internet (Manage the Modem Router Remotely, Page 244).
Would NETGEAR look at intergrating this in the next firmware release to improve security on your device?
Thank you in advance for taking the time to respond to my question, it is most appreciated.
Regards
55 Comments
I'm guessing it's intentional. Probably a way for backdoor access when any 3 letter comes asking. Netgear sells you out pronto.
Under what scenario can someone from outside your local network get into the Netgear genie web page? And under what are circumstances can someone on the local network can break in uninvited?
This issue keeps coming up, but as yet no one has provided a convincing explanation of why this leaves them open to attack.
More important, no one has reported a case of being attacked in this way.#
Congratulations on finding, and using the desktop genie. Netgear is doing its best to deter people from using this valuable tool. It has certainly stopped providing updates.
mdlockwood understand your frustration in a way.
mdlockwood wrote:It only supports http for local administration (with no way to disable)
In absence of https a little bit difficult to be without a management access, isn't it?
mdlockwood wrote:and can not limit to "wired" connections.
Unless you use an open wireless, when using WPA2-PSK the connection is AES encrypted isn't it? Nobody will see the content of your wireless, including credentials.
mdlockwood wrote:In addition, it proudly displays my credentials in plain text on the http rendered interface (wireless setup page).
Not without a password authorisation. More and more routers offer home assistant features allowing to query the WiFi password, apps show wireless details as QR code and in plain text. This called convenience.
You obviously don't get how man in the middle and malware snooping for plain text works.
CyberTri these will also sniff for https and the many known certificates and shared private keys on such consumer devices. A little bit unclear where and how these will manage to get into the data path however - so often as some security analysts want us to believe this. Yes, WPA2-AES might be cracked, too.
"But i had a https session to my router." Yeah, if you want to believe...
Oh and the wireless Mesh backhaul was so convenient, too....
Look, if bad guys want something from your organisations they will either seek for physical access, or abuse the poor security awareness of the users on your network anyway. Much easier, much less expensive, much less effort.
But hey, of course I do agree with you!
