Why is the 192.168.1.1 address for the dashboard GUI not HTTPS? I captured traffic using wireshark and the GET string contains the Authentication Basic (base 64) encoding in plain text. Take that string to any online decoder and there it is....my user/pass fully decrypted.
How is this secure? What is the problem to enable HTTPS please! All other routers do this. It's almost 2018.
I agree the threat is minimal on one's LAN . But in a congested neighborhood one must assume there could be teenagers? trying to sniff the wifi. Its really just good security practice.
In the same way NetGear runs telnetd on these for getting in on the command line vs
First of all, do you understand how lateral malware works? What threat detection are you using in your home network? None? Not on your PC...on your network. Do you understand what happens when IOT webcams, refridgerators, Alexas, Google homes, wifi thermostats, etc get hacked? They sniff. And they send malware disguised as digitally signed .dll files as zero day attacks and other means to different hosts that can be hard to recognize until its too late.
This is besides the Samba share weaknesses that Nessus points out on my X6 amongst 4 or 5 other known issues I never expect Netgear to solve. BUT this one (not using https) IS solvable! And if turning on https needs to be a selectable option because Netgear is worried about browsers showing the cert isnt a valid cert according to 3rd party standards, then put the option to turn on HTTPS in the advanced menu area and mention that browsers may warn users of cert validity and that we can ignore it as TLS1.2 encryption will still be active.
Secondly, I don't care if you personally are willing to take the risk. I don't want plain text user and passwords sent inside my network. If I had a better choice I would probably rethink my choice of routers. But Netgear does offer some solutions to issues I have for an affordable price. For now I can't choose a different product.
It's not difficult to solve and if you are fine with it, why are you in this post commenting? Its my problem not yours right? Please don't spread false information stating how it doesn't matter for something you don't even care about. It matters to me and I stated my case clearly.
I asked the moderator to delete my post. I apologize for posting in your thread.
I do see how my post comes across as declaring its ok... its really not. Heck I did not even see an option on my R7000 or 7800 that would allow the admin UI on a wired connection only.
Don't worry. This is a community forum. No one owns it, not even Netgear in the final analysis.
You are free to say what you like, preferably politely. It is only through discussions like this that we learn the intricacies of these things, and that some people have different approaches to security. Some are so paranoid that you wonder why they ever go on line. Others are so laid back that you wonder how they last more than a few minutes before someone hijacks their systems.
It didn't help that the original message was based on a misconception. But hopefully we have all learned something.
I have just remembered where I read that Netgear is getting ready to implement https (see above). I think it was in one of those messages in the "feature request" zone. Sadly, the only discussion I can find has this assigned to "Engineering Investigation".
You've done the best thing by raising it in the "suggestions" bit of this forum. Here it will just get mixed up with issues about getting a router to work.
