Re: Why isn't ORBI Login Secure

prodport · ‎2019-10-17

I like the product but why is the browser login for Orbi insecure? (http://orbilogin.net/adv_index.htm). IF I change to HTPPS I get a different error.

I don't use the phone app becasue I find the login process cumbersome and it never completes the task of checking for network updates. I also find it confusing having to have both an Orbi login and Netgear.

CrimpOn · ‎2020-02-14

@willemdh wrote:

HTTPS is really important and should also be enabled inside the network. otherwise the password used when logging in, can easily be sniffed by bad actors..

Please add this feature asap...

Done!

It works already. The ugly thing, however, is that Netgear has totally messed up the SSL Certificate on the Orbi line, so modern browsers like Chrome will complain, "The Cert is bad. Don't go there! Oh, no. The sky is falling."

Try it for yourself: https://orbilogin.net. Just ignore the warnings and proceed to the Orbi Home Page. Works great!

https://community.netgear.com/t5/Orbi-Wi-Fi-5-AC-and-Orbi-with/Microsoft-Edge-and-now-Chrome-browser...

View solution in original post

CrimpOn · ‎2019-10-17

Thank you for joining "The Choir". These have been on-going issues for months now:

(Literally) since "the beginning" consumer WiFi routers have had unsecured web administration (http).
My take was that a person had to be "on the inside" to reach the router web pages,
and Remote Access is turned off by default, so the risk might have been determined to be minimal.
In the last couple of years, there has been a huge push to encrypt almost all web sites, and Netgear is slow to adapt.
Netgear does support encrypted access to the web administration, through https,
but unfortunately Netgear let their Ensure Certificate lapse in August and has not released updated firmware
with a new certificate. People are seriously annoyed when their web browsers now refuse to connect to the Orbi
because of this.
Netgear is also joining the move to cloud based management with the Orbi app.
There are many (many) devices now that can be managed only with a web app via the cloud.
The Orbi "app" is slick, but (a) incomplete, (b) buggy, and (c) requires an internet cloud connection
that many of us would rather avoid.

I think your observations are "spot on."

FURRYe38 · ‎2019-10-17

One issue is that there are certificates that need to be on local devices that would need to be effected for HTTPS to work on any router web page. Most router mfrs don't or probably won't try to support this as this would take more resources and support and with all kinds of various devices, PCs and browsers, this could be a monumental case to solve for just accessing a routers web page with https. Something until something gets exposed with using HTTP on the LAN side of the routers web page, just hasn't been a problem up to this point. Unless you have a known trouble maker on your LAN side, it's something thats not critical. I've never seen any problems stemming from use of HTTP with a routers web page yet.

Those router MFrs that do well, thats good as well. I would be nice if we could use either mode however.

CrimpOn · ‎2019-10-17

I think this is the whole point of the "certificate" issue. Netgear has implemented encrypted web access on the Orbi and included a certificate that was good from August 2, 2016 to August 2, 2019. (Remote Access requires using https.) So, yes, they shipped thousands of products that all had a valid security certificate. Their failure to anticipate the certificate expiring and getting a new certificate out to the routers is what has caused so many web browsers to complain since August 2.

FURRYe38 · ‎2019-10-17

Agreed, thats the other thing. NG needs to update the current certificiate.

Retired_Member · ‎2019-10-17

Maybe I don't understand, but why are we concerned about a secure ORBI login?

I login with my home browser to my home router...??

All the communications and editing is done on my side of the router.

CrimpOn · ‎2019-10-17

I completely agree that this does not make my "Top 10 List" of things to be concerned about. I also take comfort in the idea that I am not in the "top one million" WiFi sites anyone would want to crack. But, I cannot help but notice the dramatic trend toward moving nearly everything to an encrypted connection. Why send a password "in the clear" when it can easily be encrypted? The software is already loaded on the Orbi. All it takes is a simple redirection from http to https like all web sites are doing now.

The other thing, of course, is if Netgear encrypted the Orbi web site, people would quit posting questions wondering about it.

prodport · ‎2019-10-17

Hi Jim,

Good question and I can see the confusion. The simple answer is your data is not encrypted between your router and connecting to the Orbi web page. This means someone could see your login credentials. This doesn't mean anyone can view your credentails. Folks need to know how to peak into this data. But come January, you'll see more browsers discourage this type of login for security reasons.

I think the simplest visual representation I've seen is from Distilled. This is a slideshare deck but you don't need to read it all. Start at slide 13 and you can go through to slide 18.

In my mind, the lack of HTTPS is shocking these days especially when the hardware is so critical to our web security. And it's a lot easier to get certificates these days.

This issue prevents me from recommending the product to others. And I'm sure many enterprise security people who have to deal with executive hardware installations would discourage for this reason.

My guess is the Orbi app makes a secure connection, but I don't use it for other reasons.

Retired_Member · ‎2019-10-17

Thanks

I always thought the Orbi web(?) webpage actually resides on the router, there is no external passage.

@prodport wrote:
Hi Jim,

Good question and I can see the confusion. The simple answer is your data is not encrypted between your router and connecting to the Orbi web page. This means someone could see your login credentials. This doesn't mean anyone can view your credentails. Folks need to know how to peak into this data. But come January, you'll see more browsers discourage this type of login for security reasons.

I think the simplest visual representation I've seen is from Distilled. This is a slideshare deck but you don't need to read it all. Start at slide 13 and you can go through to slide 18.

In my mind, the lack of HTTPS is shocking these days especially when the hardware is so critical to our web security. And it's a lot easier to get certificates these days.

This issue prevents me from recommending the product to others. And I'm sure many enterprise security people who have to deal with executive hardware installations would discourage for this reason.

My guess is the Orbi app makes a secure connection, but I don't use it for other reasons.

FURRYe38 · ‎2019-10-17

Any problems from using HTTP on the LAN side would only be seen on the LAN side. When remoting in from the WAN side, HTTPS is used. LAN side connection to the routers weg page would not be seen of the WAN side. Thus again, not a major or critical issue to use HTTP for router web page use.

Retired_Member · ‎2019-10-18

@FURRYe38 wrote:
Any problems from using HTTP on the LAN side would only be seen on the LAN side. When remoting in from the WAN side, HTTPS is used. LAN side connection to the routers weg page would not be seen of the WAN side. Thus again, not a major or critical issue to use HTTP for router web page use.

Huh...??

who logs in to their Orbi remotely?

michaelkenward · ‎2019-10-18

@Retired_Member wrote:

@FURRYe38 wrote:

Any problems from using HTTP on the LAN side would only be seen on the LAN side. When remoting in from the WAN side, HTTPS is used. LAN side connection to the routers weg page would not be seen of the WAN side. Thus again, not a major or critical issue to use HTTP for router web page use.

Huh...??

who logs in to their Orbi remotely?

Strange question.

Anyone who needs remote access.

CrimpOn · ‎2019-10-18

@Retired_Member wrote:
who logs in to their Orbi remotely?

Actually, it appears enough people want to log in to their router remotely that Netgear provides an option specifically for it, on the web interface and on the app interface.

I set up an Orbi 3,000 miles away and need a way to administer it without taking an expensive flight. We have had numerous questions on the forum from people who have rental property and offer WiFi. I agree that the vast majority of WiFi owners never look at their WiFi once it is set up, and the vast majority of those who do are on the "inside" of the WiFi.

Retired_Member · ‎2019-10-18

@CrimpOn wrote:
@Retired_Member wrote:
who logs in to their Orbi remotely?
Actually, it appears enough people want to log in to their router remotely that Netgear provides an option specifically for it, on the web interface and on the app interface.

I set up an Orbi 3,000 miles away and need a way to administer it without taking an expensive flight. We have had numerous questions on the forum from people who have rental property and offer WiFi. I agree that the vast majority of WiFi owners never look at their WiFi once it is set up, and the vast majority of those who do are on the "inside" of the WiFi.

OK....put me down has never had the 'need' to do this. For those that do, then the need for security can be an issue.

FURRYe38 · ‎2019-10-18

Orbi offerts RM:

Turn Remote Management On

Remote Management Address: https://###.###.###.###:8443

Its the local LAN side thats doesn't offier https that users are asking about:

http://orbilogin.com

Again, most router mfrs don't offer this. Threre are some though.

CrimpOn · ‎2019-10-18

@FURRYe38 wrote:
Its the local LAN side thats doesn't offier https that users are asking about:

Au contrair, mon ami. The LAN side DOES support https. Just type it in (https://<ip of orbi>). And, when the web browser says, "WARNING - INSECURE - GO BACK, GO BACK", click on the "Advanced" option (or similar) and go to the web page anyway.

FURRYe38 · ‎2019-10-18

Hmmm

https://192.168.0.1/start.htm

Can’t reach this page

•Make sure the web address https://192.168.0.1 is correct

michaelkenward · ‎2019-10-18

This "give us https" thing has been rattling around for years. It is a long running theme in the "ideas" section.

Idea Exchange For Home - NETGEAR Communities

for example, plenty of them here:

Search - NETGEAR Communities – https

As @FURRYe38 says, "http" access does seem to be an "industry standard". And it isn't limited to routers. NAS boxes can play the same game.

Out of interest, has anyone ever reported a security incident on their local network that they can put down to this "hole"?

FURRYe38 · ‎2019-10-18

I have yet to see any incidences with LAN side problem with a routers web page using HTTP. If anyone was going to cause a problem here, it would have to be from the LAN side. Some nefarious child with a laptop could possibly find a problem and exploit it.

michaelkenward · ‎2019-10-18

Thanks. That's what I thought.

"Paranoia runs deep."

No prize for anyone old enough to know where that comes from.

willemdh · ‎2020-02-14

HTTPS is really important and should also be enabled inside the network. otherwise the password used when logging in, can easily be sniffed by bad actors..

See https://www.guru99.com/wireshark-passwords-sniffer.html

Please add this feature asap...

CrimpOn · ‎2020-02-14

@willemdh wrote:

HTTPS is really important and should also be enabled inside the network. otherwise the password used when logging in, can easily be sniffed by bad actors..

Please add this feature asap...

Done!

It works already. The ugly thing, however, is that Netgear has totally messed up the SSL Certificate on the Orbi line, so modern browsers like Chrome will complain, "The Cert is bad. Don't go there! Oh, no. The sky is falling."

Try it for yourself: https://orbilogin.net. Just ignore the warnings and proceed to the Orbi Home Page. Works great!

https://community.netgear.com/t5/Orbi-Wi-Fi-5-AC-and-Orbi-with/Microsoft-Edge-and-now-Chrome-browser...

FURRYe38 · ‎2020-02-14

It would have to be from the LAN side. Some nefarious child or one of your house hold members or friends being "bad actors" with a laptop could possibly find a problem and exploit it.

Please post about your concerns there though:

https://community.netgear.com/t5/Idea-Exchange-For-Home/idb-p/idea-exchange-for-home

Good Luck.

FURRYe38 · ‎2020-02-14

Thought the Don't Go There thing was fixed in v2.5.1.8?

@CrimpOn wrote:
@willemdh wrote:
HTTPS is really important and should also be enabled inside the network. otherwise the password used when logging in, can easily be sniffed by bad actors..
Please add this feature asap...
Done!

It works already. The ugly thing, however, is that Netgear has totally messed up the SSL Certificate on the Orbi line, so modern browsers like Chrome will complain, "The Cert is bad. Don't go there! Oh, no. The sky is falling."

Try it for yourself: https://orbilogin.net. Just ignore the warnings and proceed to the Orbi Home Page. Works great!

CrimpOn · ‎2020-02-14

@FURRYe38 wrote:
Thought the Don't Go There thing was fixed in v2.5.1.8?

Chrome and Opera both complained just now. (They didn't actually say, "The Sky is Falling!" I made that up.) The complain is still about the self-signed cert.

Edge says:

This site is not secure

This might mean that someone’s trying to fool you or steal any info you send to the server. You should close this site immediately.

Opera says:

Your connection is not private

This server could not prove that it is 192.168.1.1; its security certificate is from www.routerlogin.net. This may be caused by a misconfiguration or an attacker intercepting your connection.

NET::ERR_CERT_COMMON_NAME_INVALID