Orbi WiFi 7 RBE973
Reply

readycloud.netgear.com redirects to not using HTTPS this is a giant security problem

brianaker
Aspirant

readycloud.netgear.com redirects to not using HTTPS this is a giant security problem

Whenever you go to login to https://readycloud.netgear.com  it then redirects to a non-SSL site. It is obvious this is a giant security hole which renders readycloud useless, if not out right dangerous, to use. The site allows someone to change their password with ZERO security in place.

There have been complaints about this for years, but no answers.

So is Netgear blindly setting up its users for disaster?

I realize the above is strongly worded, but you all have had years to fix this.

I love my readynas, I have owned three,... but that is it.

Message 1 of 6
OOM-9
NETGEAR Expert

Re: readycloud.netgear.com redirects to not using HTTPS this is a giant security problem

There has been some talk about this subject like as follows:

https://community.netgear.com/t5/New-to-ReadyNAS/Security-of-ReadyCLOUD-vs-Offline-and-mobile-app/m-...

 

There is a more formal document that I will check to see where it is located to post into this thread.

 

We do see the security concerns that you and others have voiced. There are some measures that we have put into place to make sure that the critical components are encrypted (Password and WAN data transfers). In the process of improving the LAN data transfers we had encountered some limitations that brings us to the current state of ReadyCLOUD.

 

Message 2 of 6
brianaker
Aspirant

Re: readycloud.netgear.com redirects to not using HTTPS this is a giant security problem

An example:

Login to the site and then exit your browser. Then go back to http://readycloud.netgear.com/client/en/welcome.html. 

Click on "Sign In" and you will be taken directly to your nas page, i.e. here:   http://readycloud.netgear.com/client/index.html#page=access

From there select your username, settings, and then password. No SSL. There is a lot of fail going on there. If you work your way to your NAS you can find "Manage" buttons which will redirect you back to your local NAS, that part is all good. You can though do an awful lot without taking that step.

The man in the middle attack, and the multiple forms in which it could be exploited, should be plainly obvious.

Let me leave it at that.

 

I really like my ReadyNas(*) so please frame the above critisism with that in mind.

  - Brian

*) All three Readynas, of which all three continue to spin up disks.

Message 3 of 6
kohdee
NETGEAR Expert

Re: readycloud.netgear.com redirects to not using HTTPS this is a giant security problem

The front-end is initially HTTP to be compatible with routers, from my understanding, but all communication takes place over SSL below that. Only the very top of the window is HTTP (the header), and the rest of the page is HTTPS. 

Message 4 of 6
StephenB
Guru

Re: readycloud.netgear.com redirects to not using HTTPS this is a giant security problem


@kohdee wrote:

The front-end is initially HTTP to be compatible with routers, from my understanding, but all communication takes place over SSL below that. Only the very top of the window is HTTP (the header), and the rest of the page is HTTPS. 


The problem here is that everyone is taught that HTTP is insecure.  With good reason of course.

 

Anyway, I think HTTPS at the top layer should work fine these days. 

Message 5 of 6
brianaker
Aspirant

Re: readycloud.netgear.com redirects to not using HTTPS this is a giant security problem

I am sorry, but ReadyCloud site is not secure at all.

Taking a second look at this, it stands out pretty quickly.

Open up the access page and note that you have Javascript loading from your readycloud site that can be used to interact with the rest of the content on the page. 

 

You have a major problem.

Whomever put the page together didn't get the Google Analytics code right either. Look at how the Javascript is being loaded.

 

For more background, here is an article by the nice folks at Mozilla who go into the problem with mixed content sites:

 

https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content

Message 6 of 6
Top Contributors
Discussion stats
  • 5 replies
  • 3168 views
  • 0 kudos
  • 4 in conversation
Announcements