1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

IFTTT - how much do you care about security?

Discussion in 'Asuswrt-Merlin' started by RMerlin, Dec 3, 2017.

  1. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    28,237
    Location:
    Canada
    So, I've had my first quick glance at Asus's IFTTT new feature... If I read this correctly, it requires you to open your router's webui to the WAN. Uh, no thanks.

    If that's really the case (and not just a bad translation from the original Chinese strings), then I'll have to strongly recommend to everyone NOT to enable that feature.

    I'll have to think to decide what I want to do about this... I was against the addition of this feature from the start, and with that requirement I am even more against it.
     
  2. Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!
  3. Laserpaddy

    Laserpaddy Occasional Visitor

    Joined:
    Aug 19, 2016
    Messages:
    16
    Hasn't that been on the ac88u since day1? Mine has had it. Or am I confused?

    Sent from my SM-G955U using Tapatalk
     
  4. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    28,237
    Location:
    Canada
    IFTTT was only added last week with the release of the 18881/18991 firwmares.
     
  5. Laserpaddy

    Laserpaddy Occasional Visitor

    Joined:
    Aug 19, 2016
    Messages:
    16
    Ok sorry..it seemed in my interpretation that the DDNS feature of the usersnamechoice.asus.com was a really bad idea as well, that's what I was confusing..

    Sent from my SM-G955U using Tapatalk
     
  6. SwampKracker

    SwampKracker Regular Contributor

    Joined:
    Aug 7, 2013
    Messages:
    103
    Wow....unless the security problems with allowing WAN access to webui have been resolved, this is a disaster.
     
  7. st3v3n

    st3v3n Senior Member

    Joined:
    Feb 24, 2016
    Messages:
    421
    Location:
    Central US
    Uh..NO thanks Asus. Wonder what those guys are smoking or is this more 'nomeland' insecurity?
     
    martinr and Laserpaddy like this.
  8. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    28,237
    Location:
    Canada
    It's the market asking for features without understanding their security implications. Asus simply provides their customers what they are asking for, I can't blame them for it...

    On the other end of the spectrum, the new IPSec server support seems to be pretty easy to setup. Did a quick test of it last night using my Android smartphone as the client, was effortless to setup. That might be a solid replacement to PPTP for people not willing to deal with OpenVPN (even tho OpenVPN is nowhere as hard to setup as people might think - just export the .ovpn file, and import it on your client and you're about done.)
     
  9. st3v3n

    st3v3n Senior Member

    Joined:
    Feb 24, 2016
    Messages:
    421
    Location:
    Central US
    Absolutely; I've had no problems with any vendor's opv configs (or filling in the blanks). The way OpenVPN has progressed, I'm looking forward to more goodness from it. There's so much mish-mash coming out of the various labs (and marketing departments) that has to get sorted out and that will probably/hopefully not make the cut. For my 2cents worth, as long as end users have a choice of being able to switching such useless features off, I'll be pleased; as long as RMerlin has the will and wants to fix their work.
     
  10. cowboy

    cowboy Regular Contributor

    Joined:
    Jun 4, 2015
    Messages:
    91
    Location:
    Germany
    Asus Router and IFTTT sound like a really nice feature [here]. I don't quite get why Web access from WAN is required, but it sure is a security concern, mostly for those which are not aware what they are about to do.

    Maybe if choosing a really good password (strong one) for Web Access from WAN is not that of a big security risk, or is it ?
     
    Vexira likes this.
  11. Keenan

    Keenan Regular Contributor

    Joined:
    Mar 20, 2013
    Messages:
    166
    Location:
    California
    I've been using a couple of Echo Dots and a Harmony Hub(along with several lighting setups) for months now and I find the system to be very handy. As far as linking a router to a system like that, I guess I'm just not that active as far as router "play" goes, I like a router that does its job well and disappears into the background unseen. For a household that has a number of people and guests on a regular basis, I suppose it could be handy though.
     
  12. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    28,237
    Location:
    Canada
    On at least one occasion in the past a security issue was found that allowed to bypass entirely the password authentication.
     
    Makaveli, Quoc Huynh, octopus and 3 others like this.
  13. escape75

    escape75 Regular Contributor

    Joined:
    Oct 1, 2013
    Messages:
    55
    IPSec support on Asus router, where? :)
     
  14. EventPhotoMan

    EventPhotoMan Senior Member

    Joined:
    Mar 29, 2018
    Messages:
    221
    Either way, getting back to ifttt...

    I’m looking forward to ifttt and support for Alexa.

    I’m not so concerned on sercurity as some of you. Besides even if someone did get into my home network, what are they going to get from me?

    I’m just a simple man.
     
  15. EventPhotoMan

    EventPhotoMan Senior Member

    Joined:
    Mar 29, 2018
    Messages:
    221
    Just do it... I know you can, against you own judgement.
     
  16. Zonkd

    Zonkd Regular Contributor

    Joined:
    Oct 19, 2014
    Messages:
    134
    I’m opposed to IFTT being included in the firmware. Ifft is insecure all around which is why I quickly stopped using it to sync private messages into slack. If you do build it into Merlin firmware I’ll be disabling it.
     
  17. Zonkd

    Zonkd Regular Contributor

    Joined:
    Oct 19, 2014
    Messages:
    134
    Will they allow you to not include it in the Merlin firmware? Or perhaps just completely hide it in the web UI and then anyone deadset on using it will need to manually unhide it by enabling JFFS and putting in a config adjustment.
     
  18. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    28,237
    Location:
    Canada
    VPN -> VPN Server, for models supporting it. The RT-AC68U for instance is not supported, kernel isn't compatible with requirements for IPSEC.

    They're going to turn your router into a zombie, and use it to attack everyone else when its new master gets hired by someone to perform a DDoS on some random target.

    Security is like vaccination - you're doing it just as much for yourself as for everyone else around you.

    Just don't enable it. Removing it is not an option, too much code is closed source now, a lot of features can no longer be disabled because the pre-compiled portions expect these features to be enabled for the rest of the firmware.
     
    NoSync likes this.
  19. Jack Yaz

    Jack Yaz Very Senior Member

    Joined:
    Apr 20, 2017
    Messages:
    1,243
    Don't you have a rather large number of IP cameras on your network? Do you really want that footage stolen and broadcast across the Internet?

    https://www.snbforums.com/threads/binding-mac-to-ip-limitations.48722/page-2#post-442271
     
    Makaveli and Zonkd like this.
  20. Zonkd

    Zonkd Regular Contributor

    Joined:
    Oct 19, 2014
    Messages:
    134
    Get a foot in the door of a 'simple mans' LAN to take his name, social security numbers, emails, phone numbers and contacts, pets names and family details/photos. A simple man won't mind a stranger putting a little ransom-ware here or there. Because a simple man isn't so sentimental about his family photos, nor does he care to retain his tax files. The boss won't expect him to protect their private business correspondence and sensitive documents. His boss would understand, because hes a simple man too. And a simple man won't mind all these details being sold to the highest bidder on the darkweb -- nor would he care if the stranger opened a few simple lines of credit and took a bank loan in his name, or in his wife's name, perhaps to invest in bitcoin, because the stranger is a sophisticated man, and he deserves the finer things in life, a dream house and car, things a simple man wouldn't want for himself.

    Everybody needs to trust the devices they use aren't compromised by strangers who don't have your best interests at heart. Stolen identity causes major irreparable damage to people in my country. Once the money is gone the banks often can't do much. The cops can do very little to reverse things or bring justice, especially if the attacker is overseas. And we're all the custodians of someone elses information, usually our loved ones, dependents like children, and family. If we're compromised then so are they. Your carelessness can end up harming them too.

    Edit: and tons of live footage leaked is a great way to get your house robbed.
     
    Last edited: Nov 7, 2018
    JohnSmith, routeraround and Twiglets like this.
  21. Zonkd

    Zonkd Regular Contributor

    Joined:
    Oct 19, 2014
    Messages:
    134
    You recently relocated the DNS Filter options out of the AiProtect section to have a separation between TrendMicro features. That made it clearer for everyone the same privacy EULA didn't apply. Maybe creating a similar separation between safe and risky features would be good? Could relocate IFTTT and other risky features to a dedicated page, maybe I include some short descriptive text explaining what they do, how they work and the risks they introduce. People would take greater pause before enabling them.
     
Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!