|
Posted by Nomen Nescio on October 31, 2007, 3:00 pm
If you were Registered and logged in, you could reply and use other advanced thread options
DevilsPGD wrote:
>
> >The SSL certificate used by your router *must* be registered to the
> >router manufacturer, not some arbitrary IP address. This is a perfect
> >case of a valid certificate generating the warnings it's suppose to
> >generate because it's used in an implementation where it's impossible
> >to do it any other way and still maintain a secure connection to your
> >router. Linksys has no way of knowing that what your router's
> >internal IP address will be.
>
> Not at all. A self-signed certificate generated by the router with a
> valid hostname would be best, since the user can simply install the
> certificate once and never have warnings again.
That's the problem. Routers don't have valid host names from where
you need to access them from. Internally they're straight IP addresses.
Your suggestion would mean that every router would have to have a
public facing administrative interface (and no private administrative
interface).
Noooooooo thankyou. ;)
> Linksys simply cannot get a certificate registered for "192.168.0.1"
> even if they wanted one.
>
> Another option though, and this would be fairly trivial to implement
> if Linksys (and others) were actually serious about security.
> Purchase a certificate for "router.linksys.com", on the internet
> point that IP to 192.168.0.1 (or whatever is the standard for routers
> that use that default) and then have the router's DNS server override
> that mapping and supply the valid IP.
First of all, there is no standard. There's defaults, they vary from
router to router, and they can easily be changed (in many cases they
have to be).
Second of all this is flatly impossible. the 192.168.x.x IP block is
what's known as "non-routable". Those addresses can't be resolved from
the outside under any circumstances. If they could, every router still
set at defaults would conflict with every other similar router.
> This would work for all browsers and all networks where the network
> uses the router as a DHCP server, and the router passes DNS up to the
> ISP (as is the case with most consumer grade routers)
>
> As it is, they distribute a certificate which isn't valid, thereby
That's not true at all. The certificate is perfectly valid. And it's
trivial to decide whether or not to accept it in spite of the "doesn't
match" error *because* it's coming from a non-routable address. You're
manually entering the address, and that address can't exist anywhere
outside your local network (from your perspective). It's a sure bet the
certificate is kosher.
> adding virtually no security, and worse, training users to ignore
> certificate errors.
No security??
On the contrary, it's very hard security. Local networks are easier to
sniff than the Internet proper. For a home user with a single machine it
may not matter, but anything more complex than that and the SSL
encrypted connection is in some ways more critical than SSL connections
to outside servers. You're talking about the boundary equipment that
controls how traffic flows into, out of, and through the local net. Own
that, and you own every machine on that local net.
> I consider that a negative in the grand scheme of things.
I don't think you really understand what a router looks like on a
network. And you obviously don't understand non-routable IP
addresses. ;) There's no negative or positive about it really, it's
just the way things must be if you want a secure connection to your
router. It's silly to think that Linksys or anyone else should have to
have a different certificate for every piece of equipment they produce,
and it can't be done anyway because by default every model/series/class
of equipment is the same.
It simply just can't work that way.... :(
| 
XML site map