Re: Netgear Router Administrative Web Interface Lacks Transport Encryption By Default
Full Disclosuremailing list archivesFrom: Gynvael Coldwind <gynvael () coldwind 2025-2-18 04:10:33 Author: seclists.org(查看原文) 阅读量:5 收藏
Full Disclosuremailing list archivesFrom: Gynvael Coldwind <gynvael () coldwind 2025-2-18 04:10:33 Author: seclists.org(查看原文) 阅读量:5 收藏
Full Disclosure mailing list archives
From: Gynvael Coldwind <gynvael () coldwind pl>
Date: Sun, 16 Feb 2025 13:04:42 +0100
Hi, This isn't really a problem a vendor can solve in firmware (apart from offering configuration via cloud, which has its own issues). Even if they would enable TLS/SSL by default, it would just give one a false sense of security, since: - the certificates would be invalid (public CAs don't give out certs for IP addresses), - they would be easy to clone (due to being self-signed and/or being easy to extract from a similar device), - and most users would have no idea how to verify it anyway (they would just click through warnings). So effectively it can still be MITMed. This is one of the problems that has to be solved on the user side, i.e. initialize (first boot) the device in a safe environment and upload a proper certificate (this requires an internal CA), and disable HTTP. And then train the staff to always configure these from a browser that trusts the internal CA. Cheers, -- Gynvael Coldwind _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- Netgear Router Administrative Web Interface Lacks Transport Encryption By Default Ryan Delaney via Fulldisclosure (Feb 16)
- Re: Netgear Router Administrative Web Interface Lacks Transport Encryption By Default Gynvael Coldwind (Feb 17)
文章来源: https://seclists.org/fulldisclosure/2025/Feb/14
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh