1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How many of you use Remote Admin with HTTPS?

Discussion in 'Tomato Firmware' started by Mangix, Feb 22, 2013.

  1. Mangix

    Mangix Networkin' Nut Member

    I'm just curious if anyone's using it. I just did a test of how good the TLS implementation in tomato is and....not good. There's no point to trying to fix it if nobody uses it so I'm curious, does anyone use it?

    Results: https://dl.dropbox.com/u/102011983/Tomato/tomato-https1.png
    https://dl.dropbox.com/u/102011983/Tomato/tomato-https2.png

    First off, the certificate score is to be expected. What's odd is that tomato's self-generated key is 512-bits. Really now?

    All that's needed is the removal of those weak ciphers. Also, that page's warnings about the BEAST attack are irrelevant. All the browsers have fixed it already.
     
  2. shibby20

    shibby20 Network Guru Member

    better?

    ssl.png
     
  3. Mangix

    Mangix Networkin' Nut Member

    ooo that looks like quite an improvement! It does look like the weak ciphers are still there though(can't tell).

    I would be curious if HSTS is also possible. I have no idea how difficult that would be since the httpd code is alien to me.
     
  4. xorglub

    xorglub Addicted to LI Member

    I use it on all my routers. That being said I am not overly concerned with those results, I don't expect anyone to have enough dedication to perform an attack on those. It's only a router, not a bank !
     
  5. Mangix

    Mangix Networkin' Nut Member

    Here's some fear mongering by me:

    Attacker X man in the middles you. A 512-bit key is somewhat easy to factor by someone with enough hardware so that's not too big of an issue. At this point, once you log in he has your password since Tomato does not do any client-side hashing of the password when logging in. Another Scenario:

    Attacker X man in the middles you. Instead of trying to factor the 2048-bit key that shibby has now added, he modifies the Negotiation stage of TLS where the client says what ciphers it supports. Instead of passing everything along, the attacker modifies the data such that only one of the WEAK ciphers are included(a 40-bit one preferably). As he is a man in the middle, he's sniffing all the traffic which means that once he breaks the encryption(less than a day is what it would take), he has your password. This may be somewhat difficult to pull off as browsers will probably warn you if a site only says it supports a weak cipher(I hope!). Scenario 3:

    Attacker X man in the middles you. He doesn't feel like doing the above methods. So he'll just initialize a TLS connection between him and the server, strip the TLS stuff, and serve you unencrypted HTTP traffic in the hope that you will not notice. HSTS is the only defense against this.

    If you have an unsigned and an untrusted certificate, an attacker doesn't even need to do any of that. He can just serve you a bad certificate because you'll accept it anyways. HSTS will stop this.

    Once he has your password, he can backdoor your router to include a TCP sniffer that phones home or whatever other nasty stuff he wants.

    In conclusion, yes this does assume a motivated attacker. But that's a necessary but not sufficient requirement. Another requirement is that the TLS implementation is weak in the first place. Because security is not terribly difficult to get right, might as well. You never know when it will save you.
     
  6. bmupton

    bmupton Serious Server Member

    I log in via SSH using keys and port forward 80 on localhost to the router. I carry my SSH client and key with me on a USB stick.

    Works for me.
     
    Monk E. Boy and koitsu like this.
  7. Elfew

    Elfew Addicted to LI Member

    ok, is it normal that I set HTTPS access but I cannot log in to the router after that? 192.168.1.1 it doesnt work anymore....

    edit: ok you have to write: https://192.168.1.1 after that it is working fine... I though it should recognise http/https adress automatically in browser, not to manualy add https... am I wrong?
     
  8. molnart

    molnart Networkin' Nut Member

    i am using it as well on my both routers, also not concerned, most of the time there is nothing going on behind my routers
     
  9. Mangix

    Mangix Networkin' Nut Member

    HTTP is on port 80. HTTPS is on port 443. You have to specify HTTPS manually since there is nothing running on port 80 and that's what the browser accesses by default.

    It's probably possible to implement a 302 redirect on port 80 when only HTTPS is enabled, but I won't be the one to do it. The HTTP server in tomato is completely alien to me.
     
  10. Elfew

    Elfew Addicted to LI Member

    reporter to shibby :)
     

Share This Page