× NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
× Introducing the new Orbi 770 Series Mesh System. To learn more click here.
Orbi WiFi 7 RBE973
Reply

Re: RBR50 - insecure login

ATLThrasher22
Aspirant

RBR50 - insecure login

When logging into my Orbi RBR50 via the Orbilogin.com site it defaults to using an insecure login connection (http://orbilogin.com).  Considering this could put the login name and password at risk is there any way to force/require Orbilogin.com to use HTTPS, or are there any firmware updates planned that would force the use of HTTPS for the login?

Model: RBR50|Orbi AC3000 Tri-band WiFi Router
Message 1 of 6

Accepted Solutions
CrimpOn
Guru

Re: RBR50 - insecure login

This is correct.  http is "not secure", which is why Orbi will never respond to an http connection from the internet.  If "Remote Management" is activated in the Advanced Setup menu, it opens port 8443 to the internet and waits for an SSL connection attempt.  Residential routers have used http for as long as I can remember, the theory being that someone has to break the WiFi encryption to get inside the network.

 

If you are concerned that someone can get inside the Orbi LAN and eavesdrop on conversations, then Orbi will respond to https connections from the LAN side. ( https://orbilogin.net)  However, there is a problem with this approach as well.  Last August, Netgear either (a) neglected, or (b) decided not, or (c) were not allowed to renew the SSL certificates for a bunch of URL's, including routerlogin.net, routerlogin.com, orbilogin.com, and orbilogin.net.  With the current firmware release, Netgear has included a "self-signed" security certificate in the Orbi.  Modern browsers complain about this.  (STOP - GO BACK - POTENTIAL RISK - The Sky is Falling).  Buried in the small print is a link to "Go ahead to the site anyway."  If you choose this, then the browser takes you to the Orbi router web interface in an encrypted session.

 

I have read comments that "these days" it makes no sense for 1,000's of devices spread all around the world to claim that their SSL certificate for something like "routerlogin.net" is valid.  The issue is far more complicated than one might think.

 

So, (a) you are correct, and (b) there is an (ugly) workaround.

View solution in original post

Message 3 of 6

All Replies
FURRYe38
Guru

Re: RBR50 - insecure login

I stand corrected, users can access the web pages using HTTPS://

Thought browser may tell you that the certficate is invalid. You can still access using https. 

Thank you @CrimpOn

 

NG hasn't offered HTTPS on there LAN side web page access since the LAN side would be hard to do anything with from the WAN side. Someone would have to be the LAN side to do anything hefarious. NG hasn't offered any updates on this on most of there routers. Remote access from the WAN side uses HTTPS. 

 

You can certainaly put in a request for it:

https://community.netgear.com/t5/Idea-Exchange-For-Home/idb-p/idea-exchange-for-home

 

Good Luck. 

Message 2 of 6
CrimpOn
Guru

Re: RBR50 - insecure login

This is correct.  http is "not secure", which is why Orbi will never respond to an http connection from the internet.  If "Remote Management" is activated in the Advanced Setup menu, it opens port 8443 to the internet and waits for an SSL connection attempt.  Residential routers have used http for as long as I can remember, the theory being that someone has to break the WiFi encryption to get inside the network.

 

If you are concerned that someone can get inside the Orbi LAN and eavesdrop on conversations, then Orbi will respond to https connections from the LAN side. ( https://orbilogin.net)  However, there is a problem with this approach as well.  Last August, Netgear either (a) neglected, or (b) decided not, or (c) were not allowed to renew the SSL certificates for a bunch of URL's, including routerlogin.net, routerlogin.com, orbilogin.com, and orbilogin.net.  With the current firmware release, Netgear has included a "self-signed" security certificate in the Orbi.  Modern browsers complain about this.  (STOP - GO BACK - POTENTIAL RISK - The Sky is Falling).  Buried in the small print is a link to "Go ahead to the site anyway."  If you choose this, then the browser takes you to the Orbi router web interface in an encrypted session.

 

I have read comments that "these days" it makes no sense for 1,000's of devices spread all around the world to claim that their SSL certificate for something like "routerlogin.net" is valid.  The issue is far more complicated than one might think.

 

So, (a) you are correct, and (b) there is an (ugly) workaround.

Message 3 of 6
ATLThrasher22
Aspirant

Re: RBR50 - insecure login

Thanks for the feedback.  It doesn't surprise me that the "LAN vs. WAN side logins" might be part of the reasoning behind this but it's disappointing.  That argument might have been plausible 8-10 years ago but NetGear should know that logic doesn't float in today's world (with compromised Wifi standards and sophisticated phishing/malware.)  In full disclosure, I'm an Infosec professional and have other workarounds to secure my login but have been waiting to see if they would implement HTTPS in a firmware upgrade.  Having just upgraded today to 2.5.1.8 and still not seeing it fixed I figured I would go ahead and ask.  Good to see others like you have noticed it as well.  Guess I'll go submit a formal enhancement request and see if that does any good. 

Model: RBR50|Orbi AC3000 Tri-band WiFi Router
Message 4 of 6
CrimpOn
Guru

Re: RBR50 - insecure login

Remember, you are asking Netgear to disable http.  https already exists.

Message 5 of 6
ATLThrasher22
Aspirant

Re: RBR50 - insecure login

True.  Thanks for the clarification (although I will also ask that a more reputable cert be used so as to not confuse users who get the ugly browser warnings.)

 

 

Message 6 of 6
Top Contributors
Discussion stats
  • 5 replies
  • 2853 views
  • 4 kudos
  • 3 in conversation
Announcements

Orbi 770 Series