Certificate Error, Router home page hacked? (192.168.1.1)
corei7
Newbie

The router home page (192.168.1.1) is now showing as insecure.  I am being re-directed to myfiosgateway.com, which shows https with a red strike through, and which displays the following: 

 The redirected site is protected with a self-signed certificate, and your internet browser will prompt you with a security warning to accept the router's self-signed certificate before proceeding. This is a standard prompt for any self-signed certificate to help ensure the security of your internet connection.

Has this page been hacked? I did not log in.

0 Likes
73 Replies
skypickle
Newbie

I had to use a mac. ALL windows OSes get stuck in this loop. I think Verizon wants us to log in to our router through THEIR network. I guess they can FORCE us to do this as a way of showing US THEY OWN THE ROUTER IN OUR OWN HOME!

So even though I reset the router to default, it still locks me out. My solution was to add MY OWN router between the verizon box and my network. The idea that they can snoop my LAN without my consent is ludicrous.

0 Likes
AlbanyFSC1
Enthusiast - Level 1

I am not by any means a network professional, but i may be able to weigh in here, and feel free to correct me if i am wrong. 

In the past, the router was accessible through HTTP, which did not require a security certificate, therefore no security warning. It is now forcing a redirect to HTTPS, and on the page advising of the change it warns you there will be a security warning. Now, i don't know if this is being done for customers security, or for compliancy, but changing to HTTPS is happening everywhere. 

Now, when you go to your banks website, you are accessing a company that is using HTTPS and has a Trusted CA Certification that they pay for. It means its recognized as a secure site. 

Since you are not accessing a publicly accessed website when you are logging into your router, you are visiting a private local IP address of 192.168.1.1 (an IP which absolutely cannot obtain a trusted CA certification, because its a private local IP address) it has no recourse but to issue a self-signed certificate. Your browser, when using HTTPS, by design will throw up a security warning that the site you are trying to reach is using a self-signed certificate. It's basically warning you "Hey, User...make sure you know what you are connecting to on the other end of this IP you are trying to reach". Since you know its a local IP, not accessible on the web, and its pointing to the router in your home, you know it is ok to proceed. 

Your browser will do the SAME THING if you were trying to visit a malicious IP address on the web using HTTPS, and since that website may be malicious its not issuing a Trusted CA certification, but a self-signed certificate. Browser, doing what browsers do, says the same thing. "Hey, User...make sure you know what you are connecting to on the other end of this IP you are trying to reach." But in this case, its not your local private IP that points to your router. So, your browser is working as intended to protect you. 

Verizon, in trying to be more compliant and more secure for their customers, is trying to improve your security by making the router access via HTTPS. The change to HTTPS obviously has some caveats that will trigger some tech support calls, but i assure you your browser is doing as its programmed to do, and you are not in danger of being eaten by a computer virus or a hacker by accepting the self-signed certificate issued by your router. 

Anyone saying that Verizon is being cheap and not paying for a trusted CA certification may not but fully grasping how those SSL certs work. You can buy one yourself if you like...if you have a public IP address and domain. You CAN NOT get one for a private IP of 192.168.1.1 which is what your browser is trying to access. 

Once again, if i am wrong or have missed anything, please respond. I am comfortable with ciriticism, and would love to know where i steered awry. 

Kiwi2020
Newbie

I was able to get through using google chrome that allows you to bypass the warning 

0 Likes
skypickle
Newbie

Until recently, I could point my browser to the verizon fios router ip and log in. I'd get a warning about the self signed certificate, click ok and there i was. However now, the behavior is different. I get a page that says this:

~~~~~~~~~~~~~~~~~~~
Verizon takes your privacy and internet security seriously. To better ensure security, Your router is automatically being redirected to ยปmyfiosgateway.com.

The redirected site is protected with a self-signed certificate, and your internet browser will prompt you with a security warning to accept the router's self-signed certificate before proceeding. This is a standard prompt for any self-signed certificate to help ensure the security of your internet connection.
~~~~~~~~~~~~~~~~~~~

Then I get the usual self signed certificate warning that says this:

~~~~~~~~~~~~~~~~~~~
Attackers might be trying to steal your information from 192.168.1.1 (for example, passwords, messages, or credit cards). Learn more
NET::ERR_CERT_COMMON_NAME_INVALID

Help improve Safe Browsing by sending some system information and page content to Google. Privacy policy

I click on the advanced button and then the usual warning appears below it:
This server could not prove that it is 192.168.1.1; its security certificate does not specify Subject Alternative Names. This may be caused by a misconfiguration or an attacker intercepting your connection.

Proceed to 192.168.1.1 (unsafe)
~~~~~~~~~~~~~~~~~~~

I click on the proceed button and I am back at the same page after a brief flash of this

~~~~~~~~~~~~~~~~~~~
Verizon takes your privacy and internet security seriously. To better ensure security, Your router is automatically being redirected to ยปmyfiosgateway.com.
~~~~~~~~~~~~~~~~~~~

I have no problem logging in to the router from a mac!
This occurs on two separate machines (windows 7 pro and windows 10 pro) directly connected to the router by ether net. I dont know why the router is stuck in an infinite loop for windows only since the mac is on the same network. DNS server for all machines is the same in the adapter settings.
What's going on?!

0 Likes
Nilsa_VZ
Community Manager
Community Manager

This has been retested by our router testing team and they are not seeing any issues with this on IE, Edge or FireFox 66. Certificates are being imported or the exceptions are being allowed, depending on the browser. The only recommendation the team has provided is to ensure the cookies are being cleared. It could also be the Security Level the browser is set to for visiting sites, IE 11 uses zones for this that can be managed and may be set higher than default and could cause issues.

We apologize for this inconvenience.



Community Manager
Community Manager II
RichyBroke
Newbie

Hi,

I just realized that I have the same issue using any browser or computer. If most people have an issue with the GreenWave Systems certificate than whatever is making it work for your in-house team is not working in our homes.

I know Verizon just released an update to fix a certain vulnerability so it might be related to it.

Please look into the matter more thorougly.

Thank you,

Richard

0 Likes
will822
Newbie

Your team needs to retest again. The fact that so many are reporting issues makes your statement that there are no problems false and incorrect.

0 Likes
jnv111
Enthusiast - Level 2

Now we know why Verizon is now forced to force HTTPS only logins. It is using HTTPS to block a replay attack. See this SecurityWeek article for why Verizon now is forced to disallow HTTP logins.

0 Likes
Nilsa_VZ
Community Manager
Community Manager

I apologize that the information provided by our internal team was not helpful. I have referred this to them again for further investigation and testing. I'm providing information from our product and testing teams and will continue to do so as I obtain it. 

For your information, there was also a security fix which changed our default login page from an HTTP address to an HTTPS address on our last release. When visiting the previously used HTTP address there is new verbiage there to inform customers of the change and a redirect to the HTTPS address. When a customer clicks that link they will also get a certificate warning from their browser since the HTTPS is being secured by a self-signed certificate. Once the warning is accepted the warning will continue to the HTTPS site where you will be able to login and manage your devices as usual.

Attached is the flow of this experience for your reference:

imageimageimageimage

I will provide an update once I hear back from the team. 

Thank you for your patience. We sincerely apologize for this inconvenience. 



Community Manager
Community Manager II
JetFixxxer
Newbie

Doesn't go past the warning page.  I hit proceed in chrome and advance on FF it just loops back to the warning page.

0 Likes
Akiro
Enthusiast - Level 1

Same for me as well no matter what browser I use

0 Likes
MtnDweFR
Newbie

I have the same issue- Accept risk get sent back to warning. I already reset browsers, cleard cache, history and cookies.

Browsers affected-

Chrome

firefox,

IE

edge

Here is the info i see-

https://myfiosgateway.com/ The server uses a certificate with a basic constraints extension identifying it as a certificate authority. For a properly-issued certificate, this should not be the case. HTTP Strict Transport Security: false HTTP Public Key Pinning: false Certificate chain: -----BEGIN CERTIFICATE----- MIIDuDCCAqCgAwIBAgIQAQolXD9s0LdF+L8FFHIDJjANBgkqhkiG9w0BAQsFADBI MRswGQYDVQQDExJFU0VUIFNTTCBGaWx0ZXIgQ0ExHDAaBgNVBAoTE0VTRVQsIHNw b2wuIHMgci4gby4xCzAJBgNVBAYTAlNLMB4XDTE1MTAwMjA1NDk1OFoXDTI1MDky OTA1NDk1OFowgaQxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMQ8w DQYDVQQHDAZJcnZpbmUxGjAYBgNVBAoMEUdyZWVuV2F2ZSBTeXN0ZW1zMQwwCgYD VQQLDANQS0kxGjAYBgNVBAMMEUdyZWVuV2F2ZSBTeXN0ZW1zMSkwJwYJKoZIhvcN AQkBFhphZG1pbkBncmVlbndhdmVzeXN0ZW1zLmNvbTCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBAMk7pR8IO477ypmRKu61Lkcex6IYpzf9d3ADl9IeR+4e Au7Ayj/Bym1X9O2et5NAxXgQhaRj+TZX/7QqZOG0G9HcQsGJAJY3IUUllxH3x1Vn cT2uEXgq5zI/utaotYLFWw4AvsIN+e+Z3K9Lui5n3XyB6cIqE8uYlEGc7bM5w/zr IH1LqZm9w4RUvghkHCdUkVqbmLWerUrmd4jaFpAzDaiBtZ3hOJLh979plNEnySvm lkUrWRz6EceKGwUB2c5QsLovlNZpPhgLoIPukYjzOiKhGN4vovK7noSvUlkX/TMu sTDI5VBgQvleKB26Kvk9jxD/JmYOuiY66yAAZ5S8pJUCAwEAAaNBMD8wDAYDVR0T BAUwAwEB/zAOBgNVHQ8BAf8EBAMCBaAwHwYDVR0jBBgwFoAUzDnZHi+Yj82W8ORl OiyD//d5d/kwDQYJKoZIhvcNAQELBQADggEBAEIkUN+o4yu14iwNX3R86HVrmf6H t9DLki2iUfbhpUIlV5cEctOzJPnjTp14QGjNkvkP8K7XPloHmuVObmKJ0MnxZX+S vZq+I9UbiFjgcN4+R/MrytBQRA/czMhjyvxqA6tPM+Ay+8k6PdqH1t4cuLyw860z WRxBaPIBON5V3efR30HAJxj3AL4hVmbd6D+IZ2dq8SUnRWcqsZkMjfrhJBNtEVbP itV9L4Ng+FAaUQJ8kTv9C/tOFSBfXHIwiIQtjvYFASz1SqW+gVtFDY63NEQKnqip anyEHRhufzxuEGhDOnI8mXI6WQRE+11CIg7AHAvvd0NcGTm+1mp7RZ7zmzQ= -----END CERTIFICATE-----

0 Likes
Akiro
Enthusiast - Level 1

This is not a solve as the issue still remains

FiosV_C
Newbie

Hi Nilsa,

Is this the official Verizon solution?

Thanks,

Grateful Verizon Fios Customer

0 Likes
Edg1
Community Leader
Community Leader

There isn't really an issue. Your web browser is just giving you that warning because it doesn't recognize the certificate. The browser is doing what it's designed to do. Many network access devices use self-signed certificates. Most browsers do however have a check box to add an exception. Afterwards you shouldn't see that error anymore. 

samb41
Enthusiast - Level 1

Other commenters saying that logging in on MacOS worked made me think to try using Safari on Windows, and that finally did it.

Chrome, Firefox, and Edge all had the looping problem of returning to the warning page after allowing the risky certificate, but Safari took it like a champ and sent me right on down to the login page, finally, after weeks of trying over and over to no avail.

Download Safari 5.1.7 for Windows (google it) and try it for yourselves, and maybe one day soon this workaround won't be necessary.

fzammetti1
Enthusiast - Level 2

Yeah, there's nothing inherently wrong with what Verizon tried to do here, let's get that right. Forcing users through a secure link is nothing but a good thing, at least as far as intentions go - implementation and proper testing is another issue though.

All that said, I echo what others are seeing: trying to advance past the invalid cert page just loops back to it. That happens in the latest version of Chrome, Firefox, Edge, and Opera on Windows 10. Even if I explicitly export and then import the cert to trust it, even if I trust the intermediate authority, none of it matters. Clearing cookies and cache and all that makes no difference, as I would expect (but I gave it a shot anyway). It DOES work from my iPad or my Android phone or my Mac, but apparently no browser on Windows (I didn't try Safari).

However, in my case, I finally did find the issue, and I wouldn't be surprised if this is the root cause for a lot of people and would also explain maybe why Verizon's test team couldn't replicate it, so Verizon support folks, you'll want to add this to your support scripts...

For me, the problem was my system protection suite. More specifically, the SSL/TLS scanning option that was turned on in ESET Internet Security.

The way I discovered this is that when I viewed the invalid cert on the error page in Chrome by clicking the error it displays (NET::ERR_CERT_COMMON_NAME_INVALID most likely), which there is no indication you can do, but you can, and then noticing that the Subject is GreenWave Systems as you'd expect, but for me the Issuer said ESET SSL Filter CA.

Woah, what?! This is a self-signed cert, so the CA should be GreenWave too!

Did Verizon screw up generating the cert? That's what I thought at first, but a second or two later I realized "wait, if they did, why the hell would they sign if with an ESET issuer?"

Doh! -I- run ESET Internet Security on my machine! So, it instantly occurred to me that no, they didn't screw up, my protection did!

The way ESET does SSL/TLS scanning is munging the cert in such a way that it runs afoul of changes to the way browsers handle certs with regard to common names. I suspect ESET maybe be inserting its own cert or something along those lines so that it can intercept that traffic to scan it. I'm not sure of the exact mechanism, but something along those lines makes sense.

So, after turning off each protection option in ESET, I finally got the login page to my router to come up. Eventually, after turning each option back on in turn, I finally arrived at the SSL/TLS Protocol Filtering option under Web and Email in advanced options. Turning it off results in being able to get through the invalid cert page (and, as expected, the Issuer then shows as GreenWave), turning it back on causes the infinite loop to come back.

Mystery solved!

Now, as for how I fixed it, since keeping that scanning off isn't something I want to do, under the SSL/TLS section in the options for ESET, there's a List of known certificates option with an Edit button. Visit the gateway page first, then click that Edit button. Somewhere in there are TWO GreenWave certs, one with ESET as the issuer and one with GreenWave. For BOTH, I had to Edit them and select Ignore as the Scan action. As soon as I did that, all was right with the world: I can access the gateway with any browser, no problem. I DO still get the invalid cert warning page, but as others have said, that's completely expected and not an issue. Click through that and I'm good to go.

Hopefully, this helps someone... I don't know if ESET is the common theme or if other protection software will have a similar issue (I would guess yes if they do similar protocol scanning and implement it a similar way).

Verizon techs, I would suggest spinning up a VM with ESET Internet Security installed and fully active so you can confirm my findings. I'm not seeing a way you could avoid this problem that doesn't involve customers changing the config in their protection software, but at least if you confirm it you'll have a handle on the issue, at least for some subset of those having this problem (and maybe everyone).

Rhodak1
Enthusiast - Level 1
Great job diagnosing and explaining the issue fzammetti1!!!! I was cursing Verizon loudly after trying multiple browsers, and then I noticed your info on ESET. I too use ESET, and your direction was perfect. I was able to remedy the situation quickly and can now log into the browser. Thanks!! PS...I think Verizon owes you a consulting fee.
BuddhaBoy
Enthusiast - Level 1

Brilliant Dude!

glnzglnz
Contributor - Level 3

Hey, everyone -- maybe Verizon's self-signed certificates are causing other problems in Win 10 PCs.  If you have a Winn 10 PC, please go to my new thread on this forum

https://forums.verizon.com/t5/Fios-Internet/Do-certificates-for-signing-in-to-Quantum-G1100-cause-Au...

Thanks.

0 Likes
Ianhoss
Enthusiast - Level 1

Hope this is the way to post.

This is a known issue with Verizon which I did not know until I bought a new FiOS router.

It seems that the certificate on the router is not acting the way it should be. When logging into it from the https://myfiosgateway.com. All of my browsers  blocked the page because it was unsafe. So of course, I selected to proceed to the unsafe site being that it was my router. I clicked it and nope still unsafe not allowed. Phone call to support and they take over system and no joy. They never told me to turn off any protection (ESET). They told me that the router was  not respounding and that it  needed to be replaced. Since I had bought it in 2015 I figured it needed to go.

Got new one and SUPRISE same problem. Back on the phone (this time with a very condescending support person who felt that I was the dumbest human he had ever spoken to.) to inform them that I still had the same problem even with the new router. After 20 mins of listing to support telling me nicely how stupid I was, he explained  that it was a known glitch and Verizon was working on it. No offer to take new router back by the way.   

With the new router installed, I figured there had to be a work around. Once I turned off the SSL/TSL protection feature in ESET it worked full access to the new router. The problem now I have the SSL turned off  โ€œNOT GOODโ€!  Looking around I found a fix to the glitch. At least with ESET not sure if it will work with other services.

In the advanced setup in ESET  under  WEB and EMAIL section go into the  PROTOCOL FILTERING option and exclude the IP address. and turn on the SSL/TSL protection. This worked. Smiley LOL  Hopefully Verizon will figure out the certificate glitch. This worked for me and I hope it helps. Let me know if it did. Thanks

0 Likes