HTTPS: Web Admin Access: Firefox Security Exception

Hi All,

I am just getting started with my max-on-the-go and want to first establish a https connection to the Web Admin using only my LAN connection. I am running Firmware: 7.0.3. I am getting a message on my Firefox browser asking if I want to make an exception.

My understanding is that Peplink is just saying to add an exception in Firefox and that this is perfectly safe. However my question is why doesn’t Peplink take the necessary steps so that Firefox and other browsers recognize my IP address?

Also…if Peplink is stating that adding the exception is a perfectly safe and secure action to take, shouldn’t that guidance belong in an official manual somewhere?

Thanks

image605×570 19.6 KB

Have a look here Help enabling HTTPS on admin interface - #2 by sitloongs

A public certificate authority can not assign certificates for a private IP address. The way some vendors do this is to set up a default DNS entry that can be used to access the device locally and then produce a self signed cert for that fake domain (ie https://mydevice.peplink.local) which is far more insecure in my opinion.

Yes it should be added.

So just to confirm…since I know that the IP address is the correct one for my router; I can feel assured in confirming the security exception in my Firefox browser.

Thanks

Yes. For the reasons @MartinLangmaid provided, it is safe to do that. Many of us find it a bit uncomfortable, but it’s OK. Actually, not doing so and using a HTTP (vs HTTPS) is a worse alternative.

Firefox is merely calling your attention to a possible “issue” and asking you to resolve it.

Thanks all for the clarification! Based on prior posts I thought this was safe, but I like to understand fully what is going on for my own comfort level. My understanding now is that it is far safer to type the actual IP address (i.e. numbers) in the web address of a browser because one has those numbers right on the back of the router. Thus one can be assured they have the correct path.

Thanks again all !!!

I have a related question. I hope it is not a breach of etiquette to add it to this thread. If it is, someone should let me know, please.

I am experiencing the same behavior using Firefox 57.0.4 to access the admin page. It is even worse with Safari 11.0.2. In the latter case, that browser will not take me to the admin page after I accept the risk. It just recycles through the warning routine.

I added this line to /etc/hosts, ‘192.168.50.1 captive-portal.peplink.com’, and rebooted. That fixed this problem in both Firefox and Safari. Both now open https://captive-portal.peplink.com immediately, without warning or blockage.

Is there any added security or other risk to having this entry in /etc/hosts?

With my thanks

Please consider changing your default IP, and be careful with sharing this kind of stuff online.

The firefox warnings due to the SSL certificate are actually a good thing. They’re saying your certificate is not public, they don’t know about it, nobody does. When you go to https://netflix.com, Firefox is calling the trust authority and asking “Hey, Authoriti is trying to use netflix with their cert, netflix is using their own signed web-of-trust cert, can you confirm that these are their certs and that this is really encrypted and not a faked handshake?” And the root trust authority (Commodo or Verisign or a few hundred others) says “Yup, those are valid.” You can have a certificate for yourself, between you and your router, and the root authority is “you.” The default certificate that comes with a peplink router is just an ecrypted certificate between you and your router; the only “danger” is that a wayward peplink engineer is planting compromised certs into the routers, but seems there’d be easier ways to make a backdoor than that. There is a way to change this certificate, but for my surf soho, it wasn’t yet supported – It’s a little complicated, there’s a thread about it with requests to customize this. I decided it was not a security priority. But you can generate a PEM encoded cert and have it approved with a root authority if you like (I think):

certforrouter1508×1131 89 KB

That’s what is happening when you try to connect to the router; as I recall from a thread on here, we cannot yet create our own certificates that correspond to our own keys (as least not for Surf Soho), yet, using a utility like gpg/gpg2 or openssl. All firefox is saying is “I have no idea where this certificate is coming from, I don’t know who to call.” The encryption is still happening though so you’re safe. Hopefully one is only accessing the admin page through local LAN anyway.

That actually brings up another question I have murgatroid. After my post I changed the last 4 digits of my IP address from the default. The back of my router has the first 9 numbers written right on it and I assume other routers have the same number. My understanding is we can change the last 4 numbers but not the others. Would I be correct?

Also…I’m assuming someone else could have chosen the same last 4 numbers as me, but I have my unique username and password so I guess that is fine.

Thanks

Thanks, Murgatroid, for your concern and explanation. I gave the default ip number in my /etc/hosts example to show the syntax of the entry. I am not saying that is my actual ip number. The SSL warning is well understood, but the way around it is tedious and problematic. The admin page is maintained by a trusted and competent vendor. The /etc/hosts entry transforms the login process into something easy and quick. I do not enjoy creating and maintaining SSL certificates. Anyone who does is welcome to their fun.

I have an idea that maybe some would like to help me with to assist others. When setting up a peplink router right out of the box the most important first step is to simply establish a secure connection to the Web Admin portal. Here is how I would have done it knowing what I know now.

Anyone please feel free to correct or add to this list
I am definitely not an authority…hence “authoriti”

Initial Setup of a Peplink Router

Step 1: Write down default access IP address and AP password from back of router.

Step 2: Navigate to that IP address in your browser…initially using http:// and log in with default credentials.

Step 3: Navigate to the AP tab and uncheck “Hide Characters” for the “Shared Key”. Confirm that default “Shared Key” matches that on your router (Step 1). I don’t know of a better way to confirm that one is logged into their router. Make sure the AP is disabled for the time being.

Step 4: In the “System” tab > “Firmware” > “Check for Firmware”…and update to latest version if available. “Save” and “Apply Changes”

Step 5: In the “System” tab > Admin Security…set “Security” as shown. I have left “Web Admin Port” values blank here. Keep the “HTTP:” value the same, but change the “HTTPS” value to a different set of 4 numbers. Also set “Web Admin Access” to “LAN Only” for both. This means that one can only log into the Web Admin when their computer is wired to their router.

“Save” and “Accept Changes”…while remembering or righting down your new 4 digits for your HTTPS:// address.

Step 6: Log off of the Web Admin

Step 7: Log back into the Web Admin but this time using the https:// extension…the IP address…then " : " and your new 4 digit HTTPS:// extension set in Step 5.

Step 8: Firefox or other browsers will raise a flag, but you now know that you are in fact logging into the correct IP address with your new HTTPS 4 digit extension so you can confirm the security exception and then log back into the Web Admin under the HTTPS protocol. Now that you have established a HTTPS:// connection you can feel confident that no one can see your edits in the Web Admin. This is the time you will want to reset credentials.

Step 9: Under “System” Tab > “Admin Security” change your “Admin User Name” and “Admin Password” then “Save” and “Accept Changes”

Step 10: Under “AP” tab > “SSID” … Change your “SSID” name and “Shared Key”… “Save” and “Accept Changes”. Note: This is your WiFi log-in information.

Step 11: Log off the Web Admin and log back in using the HTTPS IP address and confirm your settings. Now would be a good time to enable your AP if you want a WiFi signal.

Step 12: If you find yourself locked out and cannot get back into your Web Admin…Use a pin and hold down the pin hole in your router for 20 seconds. This will bring your router back to factory settings. Of course if you need to do this…that means the instructions here were wrong and need to be corrected

Again … comments/edits/suggestions welcome !!!

Or even better, if you want to get the green lock like me:

You should try the Find My Peplink feature on InControl 2, which give you a .mypep.link domain name, and help you to manage a trusted certificate, so next time when you need to access Web Admin, just go to https://.mypep.link and you’re good to go.

image710×220 11.5 KB

I realize a lot of bread and butter for Peplink comes from services provided after purchase. I like to consider my word of mouth to be a kind of “payment” to Peplink for the quality of their products and firmware, but a lot of people don’t want to have 3rd party services manage their routers. InControl is a nice feature for people that don’t want to worry about things, but part of the reason why people have turned to Peplink (through Mr. Horowitz’s blog or elsewhere) is because they made too many assumptions and put too much trust in “the right thing to do.” This could be anti-virus software, or their ISP, or, if they’re Apple users, in the continuing religious belief that OSX is invincible and more secure than everything.

The sad thing I’ve learned from this whole experience over the years, and from reading the blogs of blackhats, whitehats, red teams, blue teams, purple teams (hat color unknown), and all the other colors of the rainbow, is that the more you look at security, the more you learn that you need to learn more. So I think for people starting out with a router, it helps to understand what is actually happening. That’s the only way you’re going to feel empowered in any way in the long term.

The comment from the user above about “not wanting to spend time maintaining SSL certificates” is understandable. Everybody has a comfort zone. You have to define your own ring of trust, balanced with time for other things like family and creativity. But nothing on the internet is really as it seems. Read the annual security reports from Cisco, Kaspersky, or dozens of others, and you will quickly fall down the rabbit hole. Spectre has been with us for 20 years. Heartbleed is still creeping in the corner as a reminder that black swans are all around us. You can get lost in the attic, or spend all your time in front of the TV. It’s a personal choice. I think learning how to do it by yourself gives you a sense of control, which is more necessary for some people than for others.

I tend to agree whole heartedly with your posting. I think a lot of people place trust in Pepwave merely because it’s less well known and thus assumed to be more secure. Security through obscurity (closed source…) is not security at all in any sense of the word. Just ask Apple!

And the idea of giving Pepwave access to my routers remotely leaves a bad taste in my mouth. I do utilize Ubiquiti devices with Cloud Access but they don’t manage or run my controller, merely provide a secure path for me to remotely administer them. I’m a little uncomfortable with the idea of them having direct access to the devices…not to mention the on-going subscription fees for the devices each year, for the “privilege”.

Thus, the first thing I do is turn OFF the ability for InControl2 management. Which should be OFF by default.

I have read a lot of posts about this HTTPS - Web Admin access experience and this thread is very good at revealing, as @murgatroid said - “What is really going on” with these settings. Thank you all. That paragraph about the certificates doing the handshake was great and helped confirm what I suspected, but wasn’t sure about.

Figuring out the settings that are in my best interest is tough when I don’t really understand the implications of the choices. The more “what’s really going on” information, the better. @authoriti 's Initial Setup of a Peplink Router is another great layer that reaches beyond the manual to why this and why this.