TP-Link hates SSL

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

TP-Link hates SSL

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
TP-Link hates SSL
TP-Link hates SSL
2017-10-17 22:15:33
Model :

Hardware Version :

Firmware Version :

ISP :

Hey all,

Today you've probably heard that researchers announced a vulnerability. Relevant paper: https://papers.mathyvanhoef.com/ccs2017.pdf

And I started to update my devices such as Mac, IPhone, Windows 10, Raspberry PI, IPad. They all are almost fine now. But my sweet TW-8979 V1 router is not...

First of all, still there is no any firmwares. But it's ok. They created a post that says "wait for our second post". And they added, patch will be downloadable next week. Still ok.

But more serious problem than that is, there is no SSL certificated neither on 192.168.1.1 administration page nor on TP-Link official web site. Isn't it a mortal vulnerability for you guys? How can we ensure a firmware is trustable and unchanged which is downloaded from your web site?

I don't know, maybe I'm missing a point. Please enlighten me. I really need it.
  0      
  0      
#1
Options
4 Reply
Re:TP-Link hates SSL
2017-10-18 10:34:43
As far as I know . the 192.168.1.1 is on the LAN side , so Data transfer only within the LAN. It would not expose to the Internet due to NAT, so data is unreachable for attackers and they cannot forge an http server in the LAN to do any harm neither. All in all, it’s safe to visit the management interface of the router.
  0  
  0  
#2
Options
Re:TP-Link hates SSL
2017-10-18 19:21:40
If you look at this, you will see that the attackers don't need to connect the network: https://youtu.be/Oh4WURZoR98?t=50

If the attackers can capture our network without connecting the network, their first step will be adding a spy our network. This might be a port listening application or fake firmware etc. I mean, if they need to reach the network, they can do it easily. Because our routers don't have any https protection.

As I said, even tp-link web site has no https protection. And that's the deadly problem.

Shield101 wrote

As far as I know . the 192.168.1.1 is on the LAN side , so Data transfer only within the LAN. It would not expose to the Internet due to NAT, so data is unreachable for attackers and they cannot forge an http server in the LAN to do any harm neither. All in all, it’s safe to visit the management interface of the router.
  0  
  0  
#3
Options
Re:TP-Link hates SSL
2017-10-26 19:57:13
I agree HTTPS is an urgent and immediate requirement.

TP-Link should be making this a top priority to update ALL current and past devices to support HTTPS for their admin panels.


We use a R470t+ in the office to load balance 2 ADSL connections, we supply hot desks and meeting room services so we have multiple people access our LAN either via Wifi or ethernet. Any of these people could easily intercept the admin panel credentials or ANYTHING being done within it.

Yes there are various things TP-link would probably suggest in order to deflect blame such as VLANS, Separate networks etc but however you look at it. TP link NEED to provide HTTPS support for all their web panels past current and future. INCLUDING their site, support site, and these forums.

And as mentioned before, even a remote attacker can still access a LAN. That's why we all need various security suites these days. A simple network sniffer installed onto a local computer (as easily as opening a bad email or link) could then start bleeding out anything that is not secured via LAN.

If its a matter of finances... Go and use lets encrypt, or Comodos free certs. There really is no excuses. Even self signed for the admin panel on LAN would be sufficient so long as there is encryption.
  0  
  0  
#4
Options
Re:TP-Link hates SSL
2017-10-27 10:24:17
Even though the management interface of our routers is of http, I think there is no need to worry about password leak because there is security protection on login password during authentication.
Fake websites usually use similar domain names or DNS hijacking (resolve a domain to fake IP address) to scam people. When we use WAN IP address to remotely visit the router, it’s believed that the visit points to the corresponding and right router. Before we use a domain to visit the router, we can verify whether the DDNS domain name is bond to the correct IP address and whether the DDNS domain name is correct.
  0  
  0  
#5
Options

Information

Helpful: 0

Views: 1112

Replies: 4

Related Articles