Logging into Router Using HTTPS
B0zz
Newbie

Just got off the phone with Verizon tech and had a very strange reaction to my request for connecting securely to my router using HTTPS. She said that if I can connect using the 192.168.1.1 address, it was not Verizon's problem.

Maybe I'm misunderstanding but I thought my connection to the router was supposed to be done using HTTPS which cannot be accomplished using an IP address.  Certificates are only issued to named domains. Verizon packages the router cert as part of the router and allows secure connections using the https://myfiosgateway.com.

I am unable to connect using that address. I can connect by IP and by named address as long as I'm using HTTP.  Not being able to use HTTPS implies an insecure element within the router's web UI. It could be something as trivial as an image tag or as vulnerable as a script reference. The point is: I DO NOT HAVE A SECURE ROUTER CONNECTION. This is important to me due to past hacking activity.

Is it possible to talk to a Verizon agent who understands the difference between HTTP and HTTPS and can assist me in obtaining a secure connection?  Currently, when trying to establish a secure connection, I get the warning:

Your connection is not private

Attackers might be trying to steal your information from myfiosgateway.com (for example, passwords, messages, or credit cards). Learn more

NET::ERR_CERT_AUTHORITY_INVALID
 
and so on.  This is not acceptable to me but is totally fine with at least the last Verizon support agent that I spoke with.  How can this be?
 
Thanks,
Mike
0 Likes
1 Solution

Correct answers
Re: Logging into Router Using HTTPS
smith6612
Community Leader
Community Leader

Browsers consider the self-signed certificates the routers generate as unsecure, for the sheer fact that they are self signed. Self Signed certificates are typically used in man in the middle attacks. They do have valid uses, however. For example, your router likely doesn't have the means to sign certificates for the IP Address "192.168.1.1" or address "myfiosgateway.com" with a valid certificate authority.

Typically, to get an SSL Certificate with a valid authority, you need to have a unique address. For example, you need to own a public IP Address and show proof through WHOIS Records and by hosting resources. The same goes for domains. You also may have to pay for the certificate. A ceritificate authority will never issue certificates for addresses like 192.168.1.1 because they are non-unique and cannot be made personally identifiable.

Hope that makes sense. The Verizon support technician would be right in this case - nothing to worry about. Trust your router's self signed certificate, and you'll know if a firmware upgrade happens or if the router gets swapped/compromised, when it's signature changes.

Keep in mind too. Verizon would not package a real certificate into the firmware, because it would be trivial to lift the private key from the firmware blob. Doing so would be a security issue.

View solution in original post

Re: Logging into Router Using HTTPS
smith6612
Community Leader
Community Leader

Browsers consider the self-signed certificates the routers generate as unsecure, for the sheer fact that they are self signed. Self Signed certificates are typically used in man in the middle attacks. They do have valid uses, however. For example, your router likely doesn't have the means to sign certificates for the IP Address "192.168.1.1" or address "myfiosgateway.com" with a valid certificate authority.

Typically, to get an SSL Certificate with a valid authority, you need to have a unique address. For example, you need to own a public IP Address and show proof through WHOIS Records and by hosting resources. The same goes for domains. You also may have to pay for the certificate. A ceritificate authority will never issue certificates for addresses like 192.168.1.1 because they are non-unique and cannot be made personally identifiable.

Hope that makes sense. The Verizon support technician would be right in this case - nothing to worry about. Trust your router's self signed certificate, and you'll know if a firmware upgrade happens or if the router gets swapped/compromised, when it's signature changes.

Keep in mind too. Verizon would not package a real certificate into the firmware, because it would be trivial to lift the private key from the firmware blob. Doing so would be a security issue.