Recent content by arsenull

I agree completely. That's part of the reason why I dismissed the HTTPS as only a "self-signed cert", given that users are unlikely to check if it is because it is self-signed that they have to click through the exception warnings, or because it is a MITM attack.

Thank you for the thorough answer, exactly what I was looking for! Also, thanks again for your work :D

Yeah, that is what I was thinking. I am more curious than anything how deep it is integrated into the original firmware. HTTPS is definitely a big help in this case, although I didn't realize at first (naively) that HTTP was the default. If the user isn't using WAN web access to their router...

It is in fact not a solution to the problem. The problem is that the actual password is being sent, not a hash. Solutions to that problem may have their own potential attack surfaces (such as HTTP digest, as you suggested), but such solutions could still increase security from a "security...

Definitely understandable! I am a home network user, but just a paranoid one :) Out of curiosity though, how deeply integrated is the use of the actual password in authentication vs. the use of a hash? I'm assuming it's deeply in the original ASUSwrt firmware? Thanks for all the replies!

An internal CA system is what you would generally see in an enterprise environment. But that's irrelevant, and honestly it was just a side-comment that in retrospect is obvious and unrelated. The point of that response though was that HTTPS isn't a solution to the actual problem I originally...

Yes, that is a good recommendation. However, I don't think it solves the underlying problem. Security should be in-depth (layers), and the router is only using a self-signed cert for HTTPS. Another thing, if the client is sending the actual password (only base64 encoded) to the router, I can...

First off, I really like asuswrt and greatly appreciate the work by the devs. I noticed that when logging into the router via web browser (locally) the authentication is done using HTTP Basic Auth, which sends the username: password information with only base64 encoding (versus HTTP Digest...