[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
> On 9 Nov 2017, at 19:48, Neil <barnaby@xxxxxxxxxxxx> wrote: > I suppose, since I have had this router for nearly four years, I could always get > a new, and hopefully better, one. Or are they all as bad as each other? They get faster, but if your wireless is faster than your broadband the benefits are modest. I was quite impressed with the last hardware upgrade I got in terms of functionality, but day to day doesnât make a huge difference, the motive for that was VDSL arrived. Getting TP-Link to fix the XSS issue with DHCP names was a pain. My smartphone now uses the dhcp hostname of â<plaintext>1â thatâll speed up regression testing ;) I went over the beta version of the fixed firmware with Burp Suite and some manual prodding a few weeks ago. Itâs a bit Heath Robinson as web interfaces go. Uses HTTP Referrer header as a CSRF token, which I guess is okay. Reimplements HTTP Basic Auth in JavaScript (Digest Auth would seem so much more appropriate for admin over http, and is the same age as TP-Link), leaving your username and password base64 encoded as a session cookie in the browser. If you have âcontinue where you left ofâ set in Chrome (Donât do that.. please just donât...) it would leak your password to anything claiming to be http://192.168.1.1/ if you didnât logout when taking your laptop elsewhere. âLogout early, logout oftenâ, as they should say... They were also returning the WiFi encryption password in the clear on the WiFi settings page, not that with Basic Auth an active attacker couldnât just fetch it if there were a âshow meâ button, but hey even passive attackers would get everything. Generally got the impression that keeping passwords safe wasnât a priority in various places. It has some sort of repeat login detection to deter password guessing, locking out at 5 attempts, but it was trivially by-passed by trying to use something other than the login action (sigh). The web stuff all seemed to be squeezed to work in minimal space. But then has huge JavaScript files with commented out code left in. And a long list of default GSM usernames and passwords presumably to make setting up mobile Internet as backup for your broadband easier (anywhere in the world). I got the impression it has had bare minimum of work on top of what I presume is an old web server that was tightly coded for routers with the RAM they had 10 or 20 years ago. Wasnât as bad as I feared. But others have done a further demolition job on other TP Link routers. Certainly there was a suggestion the web server crashed in my testing a lot, so there is scope for more serious findings to those with more time to burn. Having rubbished my TP Link routerâs latest (not yet even released) firmware I get the impression they are much of muchness. Certainly Netgear, Zyxel, Linksys, and other kit Iâve seen was not obviously better. Intel did some interesting WiFi kit but I think they hit channel conflict, where their routers and access points were better than their customers. In part because they were exposing ALL the features they had added for every client, although the interface was something only a WiFi engineer could love. Ubiquiti were pricing, and positioning themselves as the better than the rest. Whether theyâve delivered Iâm not sure, never splashed enough cash to find out. Kind of tempt to recommend in the âat least they are tryingâ category. Some of the issues are hard to address. For example how to bootstrap a secure connection to the router. Really hard to do this without forcing specific hardware/software on users (we donât want Windows only router set-up), but it might be okay to use self-signed certificate say. That said no sign of say a content security policy, which would seem a no-brainer for helping secure embedded web servers where the software changes slowly. Iâve taken the view none of it is trustworthy if you need secure computing. So treating my home network like anybody elseâs WiFi network of doubtful trustworthiness makes perfect sense. If your security needs are average, just making sure it isnât exposing any interface to the Internet (or ISP). Set decent passwords for web interface and WiFi, apply firmware updates, maybe shuffle it off default IP range if you are paranoid, and if you believe offer up a prayer for all of us. -- The Mailing List for the Devon & Cornwall LUG https://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq