ASUS RT-AC68U Firmware 3.0.0.4.378.6152

[john9527]

One thing I changed is I put that new login page on a diet

Just wondering.....does the logon change hit every web page or is it centralized in one place ? (I figured you had been busy on this since there haven't been any new commits in a while )

 

[RMerlin]

Just wondering.....does the logon change hit every web page or is it centralized in one place ? (I figured you had been busy on this since there haven't been any new commits in a while )

There's a dedicated login page now that gets shown when logging in (Main_Login.asp). This replaces the previous basic auth requester that was displayed by your browser.

All that work is in a separate 6065 branch BTW.

 

[john9527]

All that work is in a separate 6065 branch BTW.

Brain check on my part to not check for a new branch...thanks for the pointer.

 

[L&LD]

If you are referring to the Run Command page, this is not coming back anytime soon. This was a major security liability.

It takes less time to connect through SSH than it takes to login to the webui, click on two different links to reach the Run Cmd page, and run the command.

Yes, the Run Command page.

While I appreciate that SSH is quicker, I do not want SSH enabled on any routers I support.

 

[RMerlin]

Yes, the Run Command page.

While I appreciate that SSH is quicker, I do not want SSH enabled on any routers I support.

But you want a glaring, open backdoor right on the unencrypted webui? I don't follow your logic, sorry

 

[L&LD]

But you want a glaring, open backdoor right on the unencrypted webui? I don't follow your logic, sorry

Sorry, I thought that the new login screen would change that. Thanks for fixing my logic!

I assumed that it would be more secure than having another potential door open to malicious users.

 

[RMerlin]

Sorry, I thought that the new login screen would change that. Thanks for fixing my logic!

I assumed that it would be more secure than having another potential door open to malicious users.

I'm not sure how solid the new token scheme is when it comes to cross-site vulnerabilities, so I'd rather not chance it at all.

 

[IAAI]

using lastpass makes no sense , can't risk saving all my passwords at one place (cloud)!

Here we go https://blog.lastpass.com/2015/06/lastpass-security-notice.html/

Thats exactly why i don't recommend lastpass or any cloud password service at all


Sent from my iPad using Tapatalk HD

 

[IAAI]

I wonder what was asus reason behind changing the login method . Did any user complain about the old method ?

Screw back front door lol , do they have some kind of a master password jk


Sent from my iPad using Tapatalk HD

 

[RMerlin]

I wonder what was asus reason behind changing the login method . Did any user complain about the old method ?

The token system is far more resistant to cross-site attacks AFAIK. Other firmwares also did the switch to that system in the past months.