Re: Password being sent over insecure network.

MeteorMike · ‎2019-10-21

I've set up my router and have changed my password from the default. Now when I login to the router it says the user name and password are being sent over an insecure line. Is the www.routerlogin.net not a secure site?

Netduma_Alex · ‎2019-10-22

routerlogin.net is a secure site, but it doesn't have a certificate. This is because it's not really a website, but rather just a link to a local device.

Basically, Netgear routers have a built in DNS redirect which means routerlogin.net sends you to your router's IP address. Your browser probably sees this as a real website, it doesn't know you're connecting to something local. The local router doesn't have a certificate, so your browser assumes that your connection has been hijacked by a man in the middle, which it KIND OF has been, but just by your router.

So basically yes, it's totally secure. You can add an exception for routerlogin.net to your browser so that it doesn't ask you about this constantly.

schumaku · ‎2019-10-22

@Netduma_Alex wrote:
routerlogin.net is a secure site, but it doesn't have a certificate. This is because it's not really a website, but rather just a link to a local device
....
So basically yes, it's totally secure. You can add an exception for routerlogin.net to your browser so that it doesn't ask you about this constantly.

Alex,
Something must be wrong then - either with the RAX implementation (no https at all? Hey there can't be https without a certificate of any kind!) or with the certificate (which is in place on newer Nighthawk routers or Orbi/Orbi Pro routers). Netgear _has_ a certificate signed by Entrust which is in place (along with the private key - yalla yalla all use the same [that's the only real "inscure" part - but it looks good to the browsers]). The weak point? That certificate (valid e.g. for routerlogin.net, orbilogin.com ,...) expired back in the early days of August 2019 and Netgear failed since t provide updated firmware with a _new_ certificate.

If there is https, click on the red security information and see what is wrong. Adding a security exception is a bad idea - modern browsers don't allow permanent excpetoins anymore.

Regards,

-Kurt.

schumaku · ‎2019-10-22

FWIW: Missed this part: The Web server on the newer Netgear routers supporting http and https _are_ real Web pages. The way the IP address is resolved is not relevant. For https, there must be a private key and a signed certificate (of course), otherwise the WEb server service would not start.

MeteorMike · ‎2019-10-23

Thanks guys! This helps a great deal. Now I know that at the most it is a local problem and my password isn't being snarffed.

@schumaku wrote:
FWIW: Missed this part: The Web server on the newer Netgear routers supporting http and https _are_ real Web pages. The way the IP address is resolved is not relevant. For https, there must be a private key and a signed certificate (of course), otherwise the WEb server service would not start.