| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAAnPYQ76wBHNym2LhY4T-wmhSCoFe=ZcGWoNNED39-TSYTiRWw@mail.gmail.com> Date: Sun, 16 Feb 2025 13:04:42 +0100 From: Gynvael Coldwind <gynvael@...dwind.pl> To: Ryan Delaney <ryan.delaney@...sp.org> Cc: fulldisclosure@...lists.org Subject: Re: [FD] Netgear Router Administrative Web Interface Lacks Transport Encryption By Default Hi, This isn't really a problem a vendor can solve in firmware (apart from offering configuration via cloud, which has its own issues). Even if they would enable TLS/SSL by default, it would just give one a false sense of security, since: - the certificates would be invalid (public CAs don't give out certs for IP addresses), - they would be easy to clone (due to being self-signed and/or being easy to extract from a similar device), - and most users would have no idea how to verify it anyway (they would just click through warnings). So effectively it can still be MITMed. This is one of the problems that has to be solved on the user side, i.e. initialize (first boot) the device in a safe environment and upload a proper certificate (this requires an internal CA), and disable HTTP. And then train the staff to always configure these from a browser that trusts the internal CA. Cheers, -- Gynvael Coldwind _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists