Security related questions about VR2800
As a casual user I'm quite satisfied with my VR2800 that I purchased more than a year ago. It has decent performance and I like the hardware design: fanless (no noise and no moving parts to fail mechanically) and my unit doesn't have coil whine that some of my previous routers suffered from. The admin UI is well organised, easy to use and looks good.
Unfortunately there are a few security related issues that always bothered the nerd inside me but up until this point I tried to ignore them:
- Before upgrading to the latest firmware (Jan 2021) the max admin password length was 15 characters. This has been fixed by the firmware upgrade: I could successfully set a 30 characters long password.
- I can't find an option to disable the insecure HTTP admin port. I'd prefer HTTPS-only out of the box even if the default certificate is self-signed. Don't see the point of HTTP.
- The default certificate has a lot of issues:
- The key size is only 1024 bits. The recommended secure minimum has been 2048 bits for ages and it will be 3072 bits starting with year 2030.
- The validity of the certificate is between years 1970 and 2038. Today the max validity period of a valid certificate is 825 days and this might become even shorter (about one year) in the future. The validation rules can change with newly released SSL libraries.
- Due to the weak key size and the insanely long validity period modern client libraries treat this certificate as "insecure" or "invalid" even after marking it as trusted. A certificate with such ridiculously long validity period that ends in 2038 should have a very strong future-proof key (3072 or 4096 bits). Even better: I'd prefer an option to provide my own certificate that is accepted as valid/secure by my browser after marking it as trusted. Currently this would require a decent key size (at least 2048 bits) and not too long (at most 825 days) validity period.
- I checked whether it's possible to connect to the router via telnet or ssh.
- Telnet is running and login is possible using the admin password.
- There is an ssh server running on the router and I don't know the login. This raises a few question marks...
Some of the above issues bother me because they seem to be rookie mistakes and I'd expect better solutions from someone who's developing the firmware of a security sensitive device like this. This makes me think whether my router has some even more serious issues (something that could grant remote access to an attacker).
Questions:
- Can we expect a fix to the easy-to-fix issues? (disabling plain HTTP, increasing cert key size)
- What about the SSH server? I'd like to have control over it. Login access and/or an option to disable it.
- I've seen the source code of the firmware on the download page. Is that the full source code or only a part of it?