Re: Do any of the NETGEAR Modems/Routers use HTTPS when connecting to the NETGEAR Genie page?

AlphaBravo88 · ‎2016-03-07

Hi NETGEAR,

I have recently configured a few different NETGEAR ADSL Modems/Routers, to be specific the D6400 and DGND3700v2, but both of these don't appear to support a HTTPS connection to the NETGEAR genie web page. As far as I can tell from browsing all the links and sub links, you don't even have a setting to enable this. The only reference to HTTPS in the User Manual is to enable HTTPS for remote connections from the Internet (Manage the Modem Router Remotely, Page 244).

Is there a reason you don't have enabled and even more so enforcing HTTPS on the NETGEAR genie page? It is extremely poor security practices in this day and age.

If I am not mistaken, would NETGEAR look at intergrating this in the next firmware release?

Thank you in advance for taking the time to respond to my question, it is most appreciated.

Regards

TheEther · ‎2016-03-11

I'm just guessing but Netgear probably figured that you should be able to trust your home network well enough to only use http.

You can try posting a request for https support on their Netgear's Idea Exchange for Home forum (link). I see that someone posted a similar request for the R7000. You can either upvote it or create a new request.

AlphaBravo88 · ‎2016-03-14

If you're accessing it from a wireless device, then your connection is not necassarily secure. It's very well known these days, especially from a Google search, how to hack wireless networks. I won't be recommending these to anyone I know living in an apartment complex.

Thank you for the Netgear's Idea Exchange, I hadn't seen this page. I'll add my request to the forum, but not hopeful they'll do anything about it. If they did care about security, it would already be intergrated into all firmware release.

TheEther · ‎2016-03-14

@AlphaBravo88 wrote:
If you're accessing it from a wireless device, then your connection is not necassarily secure. It's very well known these days, especially from a Google search, how to hack wireless networks. I won't be recommending these to anyone I know living in an apartment complex.

Let's frame the relative danger of accessing a Netgear router using http from a local machine in the proper context.

A wireless network needs to be hacked before any data transported through a local http session would be exposed. AFAIK, a wireless network operated under WPA2-AES security can only be hacked by brute force guessing of the password. A strong Wi-Fi password (at least 12 characters) would take several lifetimes to crack under most circumstances. If you are concerned about a nation-state actor with access to supercomputers, then a 16 character or longer password will take care of them, too. It'd probably be easier for them to use Rubber-hose cryptanalysis.

If your wireless network is hacked, then you have bigger problems. As in, all of the devices and machines on your home network can be attacked directly. Suppose that local machine was using https to talk to the router, it's game over if the machine itself is compromised.

Don't get me wrong, I think it would be great if Netgear supported https for logging into routers, but lack of support is not really a compelling reason to recommend against buying their products.

w3wilkes · ‎2016-03-14

Like Ether says, not that big a deal. However, i would be nice if Netgear tested the current http server and made sure it worked with the current set of popular browsers. Many posts talking about problems with not being able to change settings boil down to the http server not working with the browser used to access the router http interface.