router.asus.com not working on Firefox anymore?

MSuomi

Occasional Visitor
Strange, saw the new firmware for AX88U and went to install it with Firefox, as usual.

Unable to connect

An error occurred during a connection to router.asus.com.

The site could be temporarily unavailable or too busy. Try again in a few moments.
If you are unable to load any pages, check your computer’s network connection.
If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.

On Edge it works and straight IP-address does work.
So there's no big problems, I've tried everything that comes to my mind, but no. On Firefox, it just doesn't work.

Nothing, as such, have changed. Of course, Firefox has been updated but...

Just asking if anyone else has the same problem or any insight what to try. I've been messing with https-settings, Firefox cache and so on. With no help, router settings are now back at the same as they have always been.
No change tinkering with them...
 

bennor

Very Senior Member
Maybe try accessing the GUI using the IP address then check (on the Administration > System page) the "Redirect webui access to router.asus.com" setting. Make sure its set to "Yes", hit Apply. And see if that changes anything.
 

MSuomi

Occasional Visitor
Maybe try accessing the GUI using the IP address then check (on the Administration > System page) the "Redirect webui access to router.asus.com" setting. Make sure its set to "Yes", hit Apply. And see if that changes anything.
Yes, tried that earlier, no change.

Just tested on Linux with Firefox, there it says, that no https available and asks about http and works.
On Windows Firefox doesn't even ask that... Strange, I have same add-ons and all the settings on both.
Maybe I'll tinker with FF settings on Windows side, some more...
 
Last edited:

Yota

Very Senior Member
The latest version of Firefox will first access the website as HTTPS, which means that Firefox will try to access port 443. Since the router's port 443 is usually reserved by AiCloud by default, even if you enable HTTPS for the router (default port 8443), Firefox will report that it cannot be accessed. .

An easy way to do this is to specify the protocol, IP and port of the access (http://192.168.50.1:80 / https://192.168.50.1:8443), and then add it to bookmarks so that you don't run into trouble in the future.

The best solution is to switch the AiCloud port to something other than 443 and enable HTTPS running on port 443 for the web admin GUI.

Also, this is not a Firefox bug, but a transitional way for the World Wide Web to move to full HTTPS.
 

MSuomi

Occasional Visitor
The latest version of Firefox will first access the website as HTTPS, which means that Firefox will try to access port 443. Since the router's port 443 is usually reserved by AiCloud by default, even if you enable HTTPS for the router (default port 8443), Firefox will report that it cannot be accessed. .

An easy way to do this is to specify the protocol, IP and port of the access (http://192.168.50.1:80), and then add it to bookmarks so that you don't run into trouble in the future.

The best solution is to switch the AiCloud port to something other than 443 and enable HTTPS running on port 443 for the web admin GUI.
OK, that must be it. Linux has a little bit older FF and I do use beta builds on Windows. I'll change that port, when I'm on computer next time...
 

MSuomi

Occasional Visitor
Now it doesn't like the self signed certificate :p

router.asus.com uses an invalid security certificate.

The certificate is not trusted because it is self-signed.

Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT

Strange, that this is a problem, with Firefox only...
 

RMerlin

Asuswrt-Merlin dev
Strange, that this is a problem, with Firefox only...
Firefox devs have been smoking weird stuff these past few years. Between their automatic DNS hijacking or their recent download filename overriding, what more can I say.
 

MSuomi

Occasional Visitor
Firefox devs have been smoking weird stuff these past few years. Between their automatic DNS hijacking or their recent download filename overriding, what more can I say.
Yeah, they indeed have, cannot deny that xD
 

Yota

Very Senior Member
Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT
This is not Firefox's fault, there is no reason for any browser to trust self-signed certificates, browsers believe that all SSL certificates should be issued by a trusted root certificate authority, because if the SSL comes from a self-signed or untrusted source, The role of SSL and the established trust system collapsed.

For reserved IP addresses, no certificate authority will issue a valid certificate for them because they are not part of the internet and no one can claim to own them alone, so you need to decide for yourself if you should trust the site, which is the error the meaning of the code.

If you don't trust it, close the page, if you trust it, select "Advanced" - "Accept the risk and continue", after you accept the risk, Firefox will usually add its certificate to the whitelist, so next time you Will not see this annoying page.

Also, all browsers will display similar warnings when accessing self-signed certificates. Because for the internet they matter, where there is no reason to trust a website with self-signed and false certificates, but for your own local network, it's a different story.

Firefox devs have been smoking weird stuff these past few years. Between their automatic DNS hijacking or their recent download filename overriding, what more can I say.
Firefox has tried to push some positive improvements over the years, although there are some that may undermine expected and desired behavior, DNS is an important step in protecting privacy, implemented at the browser level since many people don't have routers that support encrypted DNS, It's a very simple way to bring this privacy-preserving technology to more people.

For businesses and governments, Firefox has been giving administrators more administrative privileges and making them easier to deploy, including disabling encrypted DNS or blocking specific websites.
 

MSuomi

Occasional Visitor
This is not Firefox's fault, there is no reason for any browser to trust self-signed certificates, browsers believe that all SSL certificates should be issued by a trusted root certificate authority, because if the SSL comes from a self-signed or untrusted source, The role of SSL and the established trust system collapsed.

For reserved IP addresses, no certificate authority will issue a valid certificate for them because they are not part of the internet and no one can claim to own them alone, so you need to decide for yourself if you should trust the site, which is the error the meaning of the code.

If you don't trust it, close the page, if you trust it, select "Advanced" - "Accept the risk and continue", after you accept the risk, Firefox will usually add its certificate to the whitelist, so next time you Will not see this annoying page.

Also, all browsers will display similar warnings when accessing self-signed certificates. Because for the internet they matter, where there is no reason to trust a website with self-signed and false certificates, but for your own local network, it's a different story.


Firefox has tried to push some positive improvements over the years, although there are some that may undermine expected and desired behavior, DNS is an important step in protecting privacy, implemented at the browser level since many people don't have routers that support encrypted DNS, It's a very simple way to bring this privacy-preserving technology to more people.

For businesses and governments, Firefox has been giving administrators more administrative privileges and making them easier to deploy, including disabling encrypted DNS or blocking specific websites.
Probably, but it doesn't allow it, even if I would take responsibility. There isn't even a possibility to do so.


"Did Not Connect: Potential Security Issue

Firefox detected a potential security threat and did not continue to router.asus.com because this website requires a secure connection.

router.asus.com has a security policy called HTTP Strict Transport Security (HSTS), which means that Firefox can only connect to it securely. You can’t add an exception to visit this site."


I mean, it's easier to just use Edge from now to this purpose :)
Or then I could, indeed, bookmark the http-one. No biggie ;D
 

Yota

Very Senior Member
Probably, but it doesn't allow it, even if I would take responsibility. There isn't even a possibility to do so.


"Did Not Connect: Potential Security Issue

Firefox detected a potential security threat and did not continue to router.asus.com because this website requires a secure connection.

router.asus.com has a security policy called HTTP Strict Transport Security (HSTS), which means that Firefox can only connect to it securely. You can’t add an exception to visit this site."
Enter about:networking#dnslookuptool in the Firefox address bar, then type router.asus.com and see if you can resolve to an IP address of 192.168.XX (from your router)

My guess is that your Firefox automatically enables DNS over HTTPS (encrypted DNS) for you, and the asus domain is then resolved to the real asus website, not the asus (local) website as claimed by the router.

The real asus website then deploys HSTS, a feature that prohibits browsers from doing any fallbacks that reduce TLS security, including trusting self-signed certificates.


There are two different solutions, pick the one that suits you:

First, disable DoH (encrypted DNS) in your browser, you can read how to do it here, after disabling you may need to clear your browser cache to make sure the browser correctly ignores the HSTS deployed by the real asus website.

Second, go to the IP address directly, http://192.168.50.1:80 / https://192.168.50.1:8443.


I mean, it's easier to just use Edge from now to this purpose :)
Well, this seems like an easier option
 

MSuomi

Occasional Visitor
Enter about:networking#dnslookuptool in the Firefox address bar, then type router.asus.com and see if you can resolve to an IP address of 192.168.XX (from your router)

My guess is that your Firefox automatically enables DNS over HTTPS (encrypted DNS) for you, and the asus domain is then resolved to the real asus website, not the asus (local) website as claimed by the router.

The real asus website then deploys HSTS, a feature that prohibits browsers from doing any fallbacks that reduce TLS security, including trusting self-signed certificates.


There are two different solutions, pick the one that suits you:

First, disable DoH (encrypted DNS) in your browser, you can read how to do it here, after disabling you may need to clear your browser cache to make sure the browser correctly ignores the HSTS deployed by the real asus website.

Second, go to the IP address directly, http://192.168.50.1:80 / https://192.168.50.1:8443.



Well, this seems like an easier option
Yes, it resolves correctly to my router IP.
 

Yota

Very Senior Member
Yes, it resolves correctly to my router IP.
I checked the real asus website's certificate and they do have HSTS enabled for their website, however, but their SSL certificate is a wildcard domain *.asus.com, which means their certificate's declared validity overrides the router's local asus website router.asus.com, This should happen when the browser visits the real asus website once, then the browser remembers the HSTS policy and applies the previously remembered HSTS policy the next time you try to visit the local asus website.

As I said, it's all about improving privacy, it's not Firefox's fault or bug, if you first go to a real asus site like www.asus.com on Edge or Chrome, and then go to your router's local asus site router.asus.com, I think you'll get the same error, otherwise if you are allowed to bypass HSTS, It would be a browser bug.
 

MSuomi

Occasional Visitor
I checked the real asus website's certificate and they do have HSTS enabled for their website, however, but their SSL certificate is a wildcard domain *.asus.com, which means their certificate's declared validity overrides the router's local asus website router.asus.com, This should happen when the browser visits the real asus website once, then the browser remembers the HSTS policy and applies the previously remembered HSTS policy the next time you try to visit the local asus website.

As I said, it's all about improving privacy, it's not Firefox's fault or bug, if you first go to a real asus site like www.asus.com on Edge or Chrome, and then go to your router's local asus site router.asus.com, I think you'll get the same error, otherwise if you are allowed to bypass HSTS, It would be a browser bug.
Well, then there is a bug in Edge. As I visited several Asus-sites and the router's homepage still works ok on Edge.
It doesn't go to secured site, though.
 

Yota

Very Senior Member
router.asus.com has a security policy called HTTP Strict Transport Security (HSTS), which means that Firefox can only connect to it securely. You can’t add an exception to visit this site."
As real asus sites use HSTS, I think this will affect more people in the future, @RMerlin should pay attention to this, a temporary workaround is to use private browsing to access the router's local asus site, this will make the browser ignore the previously remembered HSTS policy.

The real solution is to always use your IP address to access, because you don't own the asus website, but to some extent you do, so direct access via your IP address reduces the chance of more problems in the future.


Well, then there is a bug in Edge. As I visited several Asus-sites and the router's homepage still works ok on Edge.
It doesn't go to secured site, though.
It looks like Edge is weakening the effectiveness of HSTS (HTTP Strict Transport Security), stay away from Edge, it doesn't look like it will protect you from providing effective warnings in the future if you are attacked by a truly man-in-the-middle attack.
 
Last edited:

RMerlin

Asuswrt-Merlin dev
The real solution is to always use your IP address to access, because you don't own the asus website, but to some extent you do, so direct access via your IP address reduces the chance of more problems in the future.
Or use the hostname you defined on your router's LAN page - that's what I always do here when accessing one of my development routers.

My firmware doesn`t automatically redirect to router.asus.com, which is something the stock firmware does.
 

JIPG

Regular Contributor
Or use the hostname you defined on your router's LAN page - that's what I always do here when accessing one of my development routers.

My firmware doesn`t automatically redirect to router.asus.com, which is something the stock firmware does.
Just out of curiosity, how do you use the hostname to connect to the router?
 
Last edited:

sbsnb

Very Senior Member
This is not Firefox's fault, there is no reason for any browser to trust self-signed certificates
There is one good damned reason: because I trust the certificate and want my browser to respect my wishes. Mozilla has been getting full of hubris like this as of late, telling users what's good for them rather than letting users decide how they want to use things. That's how they squandered their user base and continue to spiral into the ground. I finally had to ditch Firefox myself as it became too much. It seemed sad somehow after using just about every "Netscape" product serially from 1992 through 2022. I take it as a healthy reminder how bad leadership can grind even the best product into the ground. Mitchell Baker has been to Mozilla what Eddie Lampert is to Sears.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top