As far as I know . the 192.168.1.1 is on the LAN side , so Data transfer only within the LAN. It would not expose to the Internet due to NAT, so data is unreachable for attackers and they cannot forge an http server in the LAN to do any harm neither. All in all, it’s safe to visit the management interface of the router.

If you look at this, you will see that the attackers don't need to connect the network: https://youtu.be/Oh4WURZoR98?t=50

If the attackers can capture our network without connecting the network, their first step will be adding a spy our network. This might be a port listening application or fake firmware etc. I mean, if they need to reach the network, they can do it easily. Because our routers don't have any https protection.

As I said, even tp-link web site has no https protection. And that's the deadly problem.

Shield101 wrote

As far as I know . the 192.168.1.1 is on the LAN side , so Data transfer only within the LAN. It would not expose to the Internet due to NAT, so data is unreachable for attackers and they cannot forge an http server in the LAN to do any harm neither. All in all, it’s safe to visit the management interface of the router.

I agree HTTPS is an urgent and immediate requirement.

TP-Link should be making this a top priority to update ALL current and past devices to support HTTPS for their admin panels.


We use a R470t+ in the office to load balance 2 ADSL connections, we supply hot desks and meeting room services so we have multiple people access our LAN either via Wifi or ethernet. Any of these people could easily intercept the admin panel credentials or ANYTHING being done within it.

Yes there are various things TP-link would probably suggest in order to deflect blame such as VLANS, Separate networks etc but however you look at it. TP link NEED to provide HTTPS support for all their web panels past current and future. INCLUDING their site, support site, and these forums.

And as mentioned before, even a remote attacker can still access a LAN. That's why we all need various security suites these days. A simple network sniffer installed onto a local computer (as easily as opening a bad email or link) could then start bleeding out anything that is not secured via LAN.

If its a matter of finances... Go and use lets encrypt, or Comodos free certs. There really is no excuses. Even self signed for the admin panel on LAN would be sufficient so long as there is encryption.

Even though the management interface of our routers is of http, I think there is no need to worry about password leak because there is security protection on login password during authentication.
Fake websites usually use similar domain names or DNS hijacking (resolve a domain to fake IP address) to scam people. When we use WAN IP address to remotely visit the router, it’s believed that the visit points to the corresponding and right router. Before we use a domain to visit the router, we can verify whether the DDNS domain name is bond to the correct IP address and whether the DDNS domain name is correct.