HTTPS web access from WAN

[colecaz]

In accessing my RT-AC66U running Merlin 378.52 via Https I get a warning from Chrome about an unverified certificate. After I agree I know it's dangerous and go on to access the router I get the Https indication at the beginning of the router URL and the logon popup comes up normally. However, after logging on the Https indication has a red line through it and a unlocked padlock appears in front of it and I am able to configure the router. This happens both locally using the local IP address and via DDNS using DynDns or No-IP.

I have selected Https access on the Admin-System page and left the port at the default 8443.

Is this normal or have I missed a setup step to avoid the warnings and get a solid, secure, access session?

 

[thelonelycoder]

It's a self signed certificate. This is to be expected and perfectly normal. Your access is still secure as long as you know the machine or device you're accessing is yours.

 

[martinr]

So https, being encrypted, protects you from eavesdroppers or man-in-the-middle attacks, but it doesn't stop someone else logging in. But as long as your username/password pair is not the default one, or admin/monkey etc, i.e. they are a strong, not-obvious combination, you'll be quite safe: you know how time consuming it is just to get access with the correct pair, and how frustrating and time consuming when you mis-type the credentials, and that's when you know the username and password.

 

[thelonelycoder]

So https, being encrypted, protects you from eavesdroppers or man-in-the-middle attacks, but it doesn't stop someone else logging in. But as long as your username/password pair is not the default one, or admin/monkey etc, i.e. they are a strong, not-obvious combination, you'll be quite safe: you know how time consuming it is just to get access with the correct pair, and how frustrating and time consuming when you mis-type the credentials, and that's when you know the username and password.

Certificates, self signed or not do not protect you when you use the default username and a password as strong as 12345678.
Just saying.

 

[martinr]

Certificates, self signed or not do not protect you when you use the default username and a password as strong as 12345678.
Just saying.

Indeed, yes, it does need to be emphasised, so people understand the limitations. Until I knew better, I assumed https access was the ultimate solution. Now that I know better I realise there is no ultimate solution, other than never connecting to anything. (So I don't allow any WAN access, other than by SSH or OpenVPN.)

 

[thelonelycoder]

(So I don't allow any WAN access, other than by SSH or OpenVPN.)

A wise decision. Unless you really need it, better leave it off.

 

[colecaz]

As I understand the replies above, the only part of remote access that is encoded is the login process and the username/password. Is this correct? I was expecting that the entire session would be protected and the indication on the address line of the browser would continue to show https valid instead of changing to indicate a problem. When I access my credit card account on line the https:// prefix to the URL stays green and the lock symbol stays locked throughout the session and I was expecting the same when accessing the router via https.

And I have changed the username/password from the defaults. That's among the first things I do in any new setup.

 

[thelonelycoder]

@colecaz What I was saying is: The user/pass on any website is the most vulnerable part. While on https your communication is encrypted at all times. The security warning you get for a self signed certificate is because that certificate cannot be verified by a trusted third party such as VeriSign.

 

[colecaz]

@lonely Thanks. Being encoded but alerted to an untrusted certificate makes the indication make sense now.