- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
RBR50 - insecure login
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When logging into my Orbi RBR50 via the Orbilogin.com site it defaults to using an insecure login connection (http://orbilogin.com). Considering this could put the login name and password at risk is there any way to force/require Orbilogin.com to use HTTPS, or are there any firmware updates planned that would force the use of HTTPS for the login?
Solved! Go to Solution.
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is correct. http is "not secure", which is why Orbi will never respond to an http connection from the internet. If "Remote Management" is activated in the Advanced Setup menu, it opens port 8443 to the internet and waits for an SSL connection attempt. Residential routers have used http for as long as I can remember, the theory being that someone has to break the WiFi encryption to get inside the network.
If you are concerned that someone can get inside the Orbi LAN and eavesdrop on conversations, then Orbi will respond to https connections from the LAN side. ( https://orbilogin.net) However, there is a problem with this approach as well. Last August, Netgear either (a) neglected, or (b) decided not, or (c) were not allowed to renew the SSL certificates for a bunch of URL's, including routerlogin.net, routerlogin.com, orbilogin.com, and orbilogin.net. With the current firmware release, Netgear has included a "self-signed" security certificate in the Orbi. Modern browsers complain about this. (STOP - GO BACK - POTENTIAL RISK - The Sky is Falling). Buried in the small print is a link to "Go ahead to the site anyway." If you choose this, then the browser takes you to the Orbi router web interface in an encrypted session.
I have read comments that "these days" it makes no sense for 1,000's of devices spread all around the world to claim that their SSL certificate for something like "routerlogin.net" is valid. The issue is far more complicated than one might think.
So, (a) you are correct, and (b) there is an (ugly) workaround.
All Replies
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: RBR50 - insecure login
I stand corrected, users can access the web pages using HTTPS://
Thought browser may tell you that the certficate is invalid. You can still access using https.
Thank you @CrimpOn.
NG hasn't offered HTTPS on there LAN side web page access since the LAN side would be hard to do anything with from the WAN side. Someone would have to be the LAN side to do anything hefarious. NG hasn't offered any updates on this on most of there routers. Remote access from the WAN side uses HTTPS.
You can certainaly put in a request for it:
https://community.netgear.com/t5/Idea-Exchange-For-Home/idb-p/idea-exchange-for-home
Good Luck.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is correct. http is "not secure", which is why Orbi will never respond to an http connection from the internet. If "Remote Management" is activated in the Advanced Setup menu, it opens port 8443 to the internet and waits for an SSL connection attempt. Residential routers have used http for as long as I can remember, the theory being that someone has to break the WiFi encryption to get inside the network.
If you are concerned that someone can get inside the Orbi LAN and eavesdrop on conversations, then Orbi will respond to https connections from the LAN side. ( https://orbilogin.net) However, there is a problem with this approach as well. Last August, Netgear either (a) neglected, or (b) decided not, or (c) were not allowed to renew the SSL certificates for a bunch of URL's, including routerlogin.net, routerlogin.com, orbilogin.com, and orbilogin.net. With the current firmware release, Netgear has included a "self-signed" security certificate in the Orbi. Modern browsers complain about this. (STOP - GO BACK - POTENTIAL RISK - The Sky is Falling). Buried in the small print is a link to "Go ahead to the site anyway." If you choose this, then the browser takes you to the Orbi router web interface in an encrypted session.
I have read comments that "these days" it makes no sense for 1,000's of devices spread all around the world to claim that their SSL certificate for something like "routerlogin.net" is valid. The issue is far more complicated than one might think.
So, (a) you are correct, and (b) there is an (ugly) workaround.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: RBR50 - insecure login
Thanks for the feedback. It doesn't surprise me that the "LAN vs. WAN side logins" might be part of the reasoning behind this but it's disappointing. That argument might have been plausible 8-10 years ago but NetGear should know that logic doesn't float in today's world (with compromised Wifi standards and sophisticated phishing/malware.) In full disclosure, I'm an Infosec professional and have other workarounds to secure my login but have been waiting to see if they would implement HTTPS in a firmware upgrade. Having just upgraded today to 2.5.1.8 and still not seeing it fixed I figured I would go ahead and ask. Good to see others like you have noticed it as well. Guess I'll go submit a formal enhancement request and see if that does any good.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: RBR50 - insecure login
Remember, you are asking Netgear to disable http. https already exists.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: RBR50 - insecure login
True. Thanks for the clarification (although I will also ask that a more reputable cert be used so as to not confuse users who get the ugly browser warnings.)
• Introducing NETGEAR WiFi 7 Orbi 770 Series and Nighthawk RS300
• What is the difference between WiFi 6 and WiFi 7?
• Yes! WiFi 7 is backwards compatible with other Wifi devices? Learn more