Re: HTTPS access to the web interface.

alokeprasad · ‎2021-01-04

Do the RBR50 and RBS50 accept HTTPS and HTTP connections from my devices on my LAN?

Chrome is warning me that the CA root certificate issued to www.routerlogin.net is invalid.

"This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store."

So does Internet Explorer:

Error Code: DLG_FLAGS_INVALID_CA
DLG_FLAGS_SEC_CERT_CN_INVALID

I don't want to enable "Always Use HTTPS to Access Router" in the web interface (Advanced - Web Services Management), in case I get locked out of the web interface if the certificates are not set up correctly. That setting should not be needed to make secure connections.

schumaku · ‎2021-01-04

Well, go over the exceptions and accept... this is it.

alokeprasad · ‎2021-01-04

OK to accept a cert with uncertain chain of authenticity?

How do we know that the cert wasn't compromised and would allow a man-in-the-middle attack?

NG should distribute valid certificate with the firmware...

alokeprasad · ‎2021-01-04

I see that this has come up before. No progress since then ...

https://community.netgear.com/t5/Orbi/Why-isn-t-ORBI-Login-Secure/m-p/1812545/highlight/true#M72955

schumaku · ‎2021-01-04

@alokeprasad wrote:
OK to accept a cert with uncertain chain of authenticity?
How do we know that the cert wasn't compromised and would allow a man-in-the-middle attack?

The typical question of people which have not much idea what is required to have no questions asked just showing a "lock" in the browser, just citing some wonderful warnings ...

It's the standard problem when using self-signed certificates. Blunt theory, before accepting the exception you must compare the certificate signature with the one shown. if it's the same, a MITM is unlikely. and of course, as it's a self-signed certificate, there can't be a chain to a root trusted by all your browser makers...

Have your own DNS, your own domain (these two would allow letting a public CA singing your certificate), in case of a local domain your own PKI (certificate authority) with all the infrastructure required to operate a CRL and OCSP and having this integrated with all your browsers and mobile devices? Then you could request Netgear adding a feature to run a CSR to be signed by your CA.

@alokeprasad wrote:
NG should distribute valid certificate with the firmware...

Well, two possible answers.

Netgear did ... they had a nicely signed certificate in place, the "lock" came up when using e.g. https.//orbilogin.com/ ... needless to say this required including the (same) private key, and it broke the CA legal requirements.
What would you suggest?

Where should be this intruder in a home network where all clients connect to the Orbi system wireless resp. more or less direct wired network connections?

alokeprasad · ‎2021-01-04

Sure, self signed certs are a problem for external web sites and less so for sites (like the router interface) on this side of the NAT.

But there can be malaware like trojans that can get on the LAN change the DNS entries or other aspects of the router settings.

If NG's self signed certs are leaked, the certs cannot be revoked by the usual signing authorities.

Could't NG provide valid (signed by CA authorities) through firmware updates?

schumaku · ‎2021-01-04

Paranoia inside?

alokeprasad · ‎2021-01-04

BTW, for those who want to add the NG cert to their browser, the instructions are at

https://kb.netgear.com/000061586/I-get-a-security-warning-in-my-browser-when-I-try-to-log-in-to-my-N...

schumaku · ‎2021-01-04

Paranoia inside?

@alokeprasad wrote:
Sure, self signed certs are a problem for external web sites and less so for sites (like the router interface) on this side of the NAT.

Well, the web browser makers did everything to make such situations visible.

@alokeprasad wrote:
But there can be malaware like trojans that can get on the LAN change the DNS entries or other aspects of the router settings.

If they are on your router and on your home network - you are lost anyway.

@alokeprasad wrote:
If NG's self signed certs are leaked, the certs cannot be revoked by the usual signing authorities.

If they are supplying the (same?) signed certificate, the leak happens along with making that firmware available for download.

@alokeprasad wrote:
Could't NG provide valid (signed by CA authorities) through firmware updates?

As I've told you before - Netgear did this before.

Do you expect an individual certificate signed by a CA for each router installation? This would be the answer - but ways to expensive.

alokeprasad · ‎2021-01-04

@schumaku wrote:
Paranoia inside?

Some paranoia is good. Leads to asking questions and better undertanding of what to watch out for.

"Just because you're paranoid doesn't mean they aren't after you." - Joseph Heller

schumaku · ‎2021-01-04

@alokeprasad wrote:
@schumaku wrote:
Paranoia inside?
Some paranoia is good. Leads to asking questions and better undertanding of what to watch out for.

I would suggest to review the proposed idea from the NTGR KB then...

alokeprasad · ‎2021-01-04

@schumaku wrote:

@alokeprasad wrote:
If NG's self signed certs are leaked, the certs cannot be revoked by the usual signing authorities.
If they are supplying the (same?) signed certificate, the leak happens along with making that firmware available for download.

If the private key to a cert signed by proper authorities, and distributed by NG, is found to be leaked, then the signing authorities could revoke it and the OS or browsers could add it to the blacklist.

@alokeprasad wrote:
Could't NG provide valid (signed by CA authorities) through firmware updates?
As I've told you before - Netgear did this before.

Why did they stop? Seems like a good idea to continue.

Do you expect an individual certificate signed by a CA for each router installation? This would be the answer - but ways to expensive.

Just what they used to do.

As you probably surmised, I'm not a security expert by any means. Just trying to be aware of things that could go wrong and if there's anything a user could reasnably be expected to do about it.

schumaku · ‎2021-01-04

@alokeprasad wrote:
@schumaku wrote:

@alokeprasad wrote:
If NG's self signed certs are leaked, the certs cannot be revoked by the usual signing authorities.
If they are supplying the (same?) signed certificate, the leak happens along with making that firmware available for download.

If a cert signed by proper authorities, and distributed by NG, is found to be leaked, then the signing authorities could revoke it and the OS or browsers could add it to the blacklist.

The moment the private key become available, the certificate must be revoked.

Once revoked, checking the OSCP would immediately, the CRL update would be updaed with some delay - and the router management would not be reachable anymore at all....

@alokeprasad wrote:
@schumaku wrote:

@alokeprasad wrote:
Could't NG provide valid (signed by CA authorities) through firmware updates?
As I've told you before - Netgear did this before.

Why did they stop? Seems like a good idea to continue.

Just to "look good" and have a "lock" shown - ignoring the private key became exposed - which was used to sign the certificate by Entrust CA? Netgear has been accused for not properly protecting the root certificate in a HSM (what a joke - a device costing much much much more than router). I had been warning Netgear about the issue for years (and I certainly was not alone) - long before some "security researchers" picked this up making a big noise.... That was about the additional 2.5 years Netgear claimed to know about the issue.

Not anything that looks secure is secure.

@alokeprasad wrote:
@schumaku wrote:
Do you expect an individual certificate signed by a CA for each router installation? This would be the answer - but ways to expensive.

Just what they used to do.

Well, they can't really...

@alokeprasad wrote:
@schumaku wrote:
As you probably surmised, I'm not a security expert by any means. Just trying to be aware of things that could go wrong and if there's anything a user could reasnably be expected to do about it.

Look, I've built and implemented PKIs for finance, government, military, and multinational organisations - including all the legal and organisational processes for almost 20 years 8-)

Now back to the Netgear KB proposal - certainly newer Chrome and "new" Chromium based Edge can't be faked anymore by adding the CER to the list of trusted roots - the prompts won't stop for good reasons. Firefox will conclude there was an exception added, ...

CrimpOn · ‎2021-01-04

@alokeprasad wrote:
Sure, self signed certs are a problem for external web sites and less so for sites (like the router interface) on this side of the NAT.
But there can be malaware like trojans that can get on the LAN change the DNS entries or other aspects of the router settings.

Would like to see more explanation of this question. Would the trojan be manipulating the Orbi DNS tables? DNS tables on individual computers?

Can someone answer this: what happens if one of these names below is entered when the Orbi is in Access Point (AP) mode? (mine cannot be put into AP mode, so I cannot test).

www.routerlogin.net
routerlogin.net
www.orbilogin.com
orbilogin.net
routerlogin.com
orbilogin.com
www.routerlogin.com
www.orbilogin.net

It appears to me that resolution of these URL's is somehow "special" (in the sense that it definitely does NOT go through any normal DNS process. This is why entering any of them when not connected to the Orbi LAN results in "not found".

alokeprasad · ‎2021-01-04

@schumaku wrote:
Now back to the Netgear KB proposal - certainly newer Chrome and "new" Chromium based Edge can't be faked anymore by adding the CER to the list of trusted roots - the prompts won't stop for good reasons. Firefox will conclude there was an exception added, ...

You are correct. This is a pointless cosmetic exercise for Chrome, Edge and IE users. They don't make secure connections even after adding the certificate. Firefox does, but the padlock has a tiny yellow exclamation indicating that "you have added a security exception for this site".

Question: are all these browsers still encrypting the traffic between my browser and the Orbi (albeit noting that the encryption is using certs that are not signed by CA authorities)? Thus making the connection "Not secure" because of use of certificates of uncertain authenticity?

If there is a guy in my house with a packet sniffer, will he be able to read the traffic if I use Chrome, Edge, IE? What about Firefox (I added the routerlogin.net cert to my Windows PC as a personal cert).

CrimpOn · ‎2021-01-04

@alokeprasad wrote:
Question: are all these browsers still encrypting the traffic between my browser and the Orbi (albeit noting that the encryption is using certs that are not signed by CA authorities)? Thus making the connection "Not secure" because of use of certificates of uncertain authenticity?
If there is a guy in my house with a packet sniffer, will he be able to read the traffic if I use Chrome, Edge, IE? What about Firefox (I added the routerlogin.net cert to my Windows PC as a personal cert).

If the browser shows https, then traffic is encrypted.

schumaku · ‎2021-01-05

@alokeprasad wrote:
Question: are all these browsers still encrypting the traffic between my browser and the Orbi (albeit noting that the encryption is using certs that are not signed by CA authorities)? Thus making the connection "Not secure" because of use of certificates of uncertain authenticity?

Sure it is encrypted.

@alokeprasad wrote:
If there is a guy in my house with a packet sniffer, will he be able to read the traffic if I use Chrome, Edge, IE? What about Firefox (I added the routerlogin.net cert to my Windows PC as a personal cert).

He can read the traffic - what is again encryped in the secured WPA2-AES or ideally WPA3-SAE-AES connection. Hard to say if the packets captured on air are streamed music or video, http, or https ... Granted: on WPA2-AES, the KRACK attack does allow gradually match encrypted packets seen before and learn the full keychain used to encrypt the traffic.