Reply

Re: Unencrypted dashboard Login. No https!

CyberTri
Luminary

Unencrypted dashboard Login. No https!

Why is the 192.168.1.1 address for the dashboard GUI not HTTPS? I captured traffic using wireshark and the GET string contains the Authentication Basic (base 64) encoding in plain text. Take that string to any online decoder and there it is....my user/pass fully decrypted.

How is this secure? What is the problem to enable HTTPS please! All other routers do this. It's almost 2018.
Model: R8000|Nighthawk X6 AC3200 Smart WIFI Router
Message 1 of 15
RMinNJ
Luminary

Re: Unencrypted dashboard Login. No https!

Doh..  I do see that in a browser:

 

Your connection is not private

Attackers might be trying to steal your information from 192.168.1.1 (for example, passwords, messages, or credit cards). Learn more

NET::ERR_CERT_AUTHORITY_INVALID
 
I do see they have remote managment on :8440   if one turns it on..
 
I guess these do not want to deal with SSL certs on the main admin interface?
Model: R7800|Nighthawk X4S AC2600 WiFi Router
Message 2 of 15
TheEther
Guru

Re: Unencrypted dashboard Login. No https!

Message 3 of 15

Re: Unencrypted dashboard Login. No https!

It is coming.

Just another user.

My network DM200 -> R7800 -> GS316 -> PL1000 -> Orbi RBR40 -> Orbi RBS50Y -> RBS40V
Message 4 of 15
antinode
Guru

Re: Unencrypted dashboard Login. No https!

> How is this secure?

   How is it vulnerable?  If all the unencrypted traffic in on your LAN,
where's the threat?  For remote access, I'll admit that it's sub-ideal.

 


> I guess these do not want to deal with SSL certs on the main admin
> interface?

   That'd be my guess, too.  With all the firmware bugs I've seen in
these things, securing the Web server would not be my first priority.

Message 5 of 15
RMinNJ
Luminary

Re: Unencrypted dashboard Login. No https!

I agree the threat is minimal on one's LAN .    But in a congested neighborhood one must assume there could be teenagers? trying to sniff the wifi.       Its really just good security practice.  

 

In the same way NetGear runs telnetd on these for getting in on the command line vs

ssh.

 

 

Message 6 of 15
CyberTri
Luminary

Re: Unencrypted dashboard Login. No https!

First of all, do you understand how lateral malware works? What threat detection are you using in your home network? None? Not on your PC...on your network. Do you understand what happens when IOT webcams, refridgerators, Alexas, Google homes, wifi thermostats, etc get hacked? They sniff. And they send malware disguised as digitally signed .dll files as zero day attacks and other means to different hosts that can be hard to recognize until its too late.

This is besides the Samba share weaknesses that Nessus points out on my X6 amongst 4 or 5 other known issues I never expect Netgear to solve. BUT this one (not using https) IS solvable! And if turning on https needs to be a selectable option because Netgear is worried about browsers showing the cert isnt a valid cert according to 3rd party standards, then put the option to turn on HTTPS in the advanced menu area and mention that browsers may warn users of cert validity and that we can ignore it as TLS1.2 encryption will still be active.

Secondly, I don't care if you personally are willing to take the risk. I don't want plain text user and passwords sent inside my network. If I had a better choice I would probably rethink my choice of routers. But Netgear does offer some solutions to issues I have for an affordable price. For now I can't choose a different product.

It's not difficult to solve and if you are fine with it, why are you in this post commenting? Its my problem not yours right? Please don't spread false information stating how it doesn't matter for something you don't even care about. It matters to me and I stated my case clearly.

Thanks.
Message 7 of 15
RMinNJ
Luminary

Re: Unencrypted dashboard Login. No https!

Ouch,   I didnt mean to offend   or spread false information.       I apologize for posting in your thread.   Let me see if I can delete my post.

Message 8 of 15
RMinNJ
Luminary

Re: Unencrypted dashboard Login. No https!

I asked the moderator to delete my post.    I apologize for posting in your thread.

 

I do see how my post comes across as declaring its ok... its really not.   Heck I did not even see an option on my R7000 or 7800  that would allow the admin UI on a wired connection only.

Message 9 of 15

Re: Unencrypted dashboard Login. No https!

Don't worry. This is a community forum. No one owns it, not even Netgear in the final analysis.

 

You are free to say what you like, preferably politely. It is only through discussions like this that we learn the intricacies of these things, and that some people have different approaches to security. Some are so paranoid that you wonder why they ever go on line. Others are so laid back that you wonder how they last more than a few minutes before someone hijacks their systems.

 

It didn't help that the original message was based on a misconception. But hopefully we have all learned something.

 

I have just remembered where I read that Netgear is getting ready to implement https (see above). I think it was in one of those messages in the "feature request" zone. Sadly, the only discussion I can find has this assigned to "Engineering Investigation".

 

Just another user.

My network DM200 -> R7800 -> GS316 -> PL1000 -> Orbi RBR40 -> Orbi RBS50Y -> RBS40V
Message 10 of 15
CyberTri
Luminary

Re: Unencrypted dashboard Login. No https!

I didn't mean to come across harshly. I just want Netgear to take issues like this seriously.

Yes. I am a paranoid Security Engineer.

Sorry
Message 11 of 15

Re: Unencrypted dashboard Login. No https!

Quite right too.

 

You've done the best thing by raising it in the "suggestions" bit of this forum. Here it will just get mixed up with issues about getting a router to work.

 

Modems/Routers : Add HTTPS when connecting to the ... - NETGEAR Communities

 

Not sure that you have said as much there as you have here.

 

 

Just another user.

My network DM200 -> R7800 -> GS316 -> PL1000 -> Orbi RBR40 -> Orbi RBS50Y -> RBS40V
Message 12 of 15
CyberTri
Luminary

Re: Unencrypted dashboard Login. No https!

Ok Netgear! No excuses now. Krack is real and this is enough reason to enable Https once you release the patch.

https://techcrunch.com/2017/10/16/heres-what-you-can-do-to-protect-yourself-from-the-krack-wifi-vuln...
Message 13 of 15
JamesGL
Master

Re: Unencrypted dashboard Login. No https!

Hi CyberTri,

 

NETGEAR has released a KB article for Krack issue.

 

https://kb.netgear.com/000049498/Security-Advisory-for-WPA-2-Vulnerabilities-PSV-2017-2826-PSV-2017-...

Message 14 of 15
CyberTri
Luminary

Re: Unencrypted dashboard Login. No https!

I use bridge mode. Release a patch and enable https for dashboard login please.

Thanks.
Message 15 of 15
Top Contributors
Discussion stats
  • 14 replies
  • 9466 views
  • 8 kudos
  • 6 in conversation
Announcements

Orbi WiFi 6E