- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just got off the phone with Verizon tech and had a very strange reaction to my request for connecting securely to my router using HTTPS. She said that if I can connect using the 192.168.1.1 address, it was not Verizon's problem.
Maybe I'm misunderstanding but I thought my connection to the router was supposed to be done using HTTPS which cannot be accomplished using an IP address. Certificates are only issued to named domains. Verizon packages the router cert as part of the router and allows secure connections using the https://myfiosgateway.com.
I am unable to connect using that address. I can connect by IP and by named address as long as I'm using HTTP. Not being able to use HTTPS implies an insecure element within the router's web UI. It could be something as trivial as an image tag or as vulnerable as a script reference. The point is: I DO NOT HAVE A SECURE ROUTER CONNECTION. This is important to me due to past hacking activity.
Is it possible to talk to a Verizon agent who understands the difference between HTTP and HTTPS and can assist me in obtaining a secure connection? Currently, when trying to establish a secure connection, I get the warning:
Your connection is not private
Attackers might be trying to steal your information from myfiosgateway.com (for example, passwords, messages, or credit cards). Learn more
Solved! Go to Correct Answer
Correct answers
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Browsers consider the self-signed certificates the routers generate as unsecure, for the sheer fact that they are self signed. Self Signed certificates are typically used in man in the middle attacks. They do have valid uses, however. For example, your router likely doesn't have the means to sign certificates for the IP Address "192.168.1.1" or address "myfiosgateway.com" with a valid certificate authority.
Typically, to get an SSL Certificate with a valid authority, you need to have a unique address. For example, you need to own a public IP Address and show proof through WHOIS Records and by hosting resources. The same goes for domains. You also may have to pay for the certificate. A ceritificate authority will never issue certificates for addresses like 192.168.1.1 because they are non-unique and cannot be made personally identifiable.
Hope that makes sense. The Verizon support technician would be right in this case - nothing to worry about. Trust your router's self signed certificate, and you'll know if a firmware upgrade happens or if the router gets swapped/compromised, when it's signature changes.
Keep in mind too. Verizon would not package a real certificate into the firmware, because it would be trivial to lift the private key from the firmware blob. Doing so would be a security issue.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Browsers consider the self-signed certificates the routers generate as unsecure, for the sheer fact that they are self signed. Self Signed certificates are typically used in man in the middle attacks. They do have valid uses, however. For example, your router likely doesn't have the means to sign certificates for the IP Address "192.168.1.1" or address "myfiosgateway.com" with a valid certificate authority.
Typically, to get an SSL Certificate with a valid authority, you need to have a unique address. For example, you need to own a public IP Address and show proof through WHOIS Records and by hosting resources. The same goes for domains. You also may have to pay for the certificate. A ceritificate authority will never issue certificates for addresses like 192.168.1.1 because they are non-unique and cannot be made personally identifiable.
Hope that makes sense. The Verizon support technician would be right in this case - nothing to worry about. Trust your router's self signed certificate, and you'll know if a firmware upgrade happens or if the router gets swapped/compromised, when it's signature changes.
Keep in mind too. Verizon would not package a real certificate into the firmware, because it would be trivial to lift the private key from the firmware blob. Doing so would be a security issue.