- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
readycloud.netgear.com redirects to not using HTTPS this is a giant security problem
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
readycloud.netgear.com redirects to not using HTTPS this is a giant security problem
Whenever you go to login to https://readycloud.netgear.com it then redirects to a non-SSL site. It is obvious this is a giant security hole which renders readycloud useless, if not out right dangerous, to use. The site allows someone to change their password with ZERO security in place.
There have been complaints about this for years, but no answers.
So is Netgear blindly setting up its users for disaster?
I realize the above is strongly worded, but you all have had years to fix this.
I love my readynas, I have owned three,... but that is it.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: readycloud.netgear.com redirects to not using HTTPS this is a giant security problem
There has been some talk about this subject like as follows:
There is a more formal document that I will check to see where it is located to post into this thread.
We do see the security concerns that you and others have voiced. There are some measures that we have put into place to make sure that the critical components are encrypted (Password and WAN data transfers). In the process of improving the LAN data transfers we had encountered some limitations that brings us to the current state of ReadyCLOUD.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: readycloud.netgear.com redirects to not using HTTPS this is a giant security problem
An example:
Login to the site and then exit your browser. Then go back to http://readycloud.netgear.com/client/en/welcome.html.
Click on "Sign In" and you will be taken directly to your nas page, i.e. here: http://readycloud.netgear.com/client/index.html#page=access
From there select your username, settings, and then password. No SSL. There is a lot of fail going on there. If you work your way to your NAS you can find "Manage" buttons which will redirect you back to your local NAS, that part is all good. You can though do an awful lot without taking that step.
The man in the middle attack, and the multiple forms in which it could be exploited, should be plainly obvious.
Let me leave it at that.
I really like my ReadyNas(*) so please frame the above critisism with that in mind.
- Brian
*) All three Readynas, of which all three continue to spin up disks.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: readycloud.netgear.com redirects to not using HTTPS this is a giant security problem
The front-end is initially HTTP to be compatible with routers, from my understanding, but all communication takes place over SSL below that. Only the very top of the window is HTTP (the header), and the rest of the page is HTTPS.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: readycloud.netgear.com redirects to not using HTTPS this is a giant security problem
@kohdee wrote:
The front-end is initially HTTP to be compatible with routers, from my understanding, but all communication takes place over SSL below that. Only the very top of the window is HTTP (the header), and the rest of the page is HTTPS.
The problem here is that everyone is taught that HTTP is insecure. With good reason of course.
Anyway, I think HTTPS at the top layer should work fine these days.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: readycloud.netgear.com redirects to not using HTTPS this is a giant security problem
I am sorry, but ReadyCloud site is not secure at all.
Taking a second look at this, it stands out pretty quickly.
Open up the access page and note that you have Javascript loading from your readycloud site that can be used to interact with the rest of the content on the page.
You have a major problem.
Whomever put the page together didn't get the Google Analytics code right either. Look at how the Javascript is being loaded.
For more background, here is an article by the nice folks at Mozilla who go into the problem with mixed content sites:
https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content