2

I am wondering how can I secure my router so that when I login (using WiFi) someone cannot see my username and password using software such as ettercap. As you can see it is saying "Your connection to this site is not private. I have tested this out to see if I can view the username and password with ettercap and I can. So my question is how can I make this connection private? Thanks!

enter image description here

techraf
  • 9,149
  • 11
  • 44
  • 62
pewpew
  • 123
  • 1
  • 5
  • Related: https://security.stackexchange.com/questions/202739/is-it-something-to-worry-about-when-my-browser-warns-me-that-my-connection-to-19 – mti2935 Apr 19 '21 at 17:45

2 Answers2

1

It depends on if your router supports encryption in the web interface; I would guess that it does. Based on your screenshot, you are using http, which is unencrypted, to connect and login to your router. This would mean your username and password are being sent in the clear when you log in to manage the device. For obvious reasons, this is bad. Try connecting to the router with https://192.168.1.1/ (or whatever the router's current IP address is).

More on HTTP. More on HTTPS.

TL:DR; see if there in encryption available.

oBreak
  • 470
  • 3
  • 5
  • Thank you for the response! I tried this, but it will not let me connect. I do not believe it is possible with this router to connect with HTTPS on WiFi. – pewpew Aug 14 '16 at 14:16
  • See https://security.stackexchange.com/questions/121163/how-do-i-run-proper-https-on-an-internal-network for some interesting reading on the challenges of getting HTTPS running (with certificates that browsers will readily accept) on a private LAN. – mti2935 Apr 19 '21 at 13:31
0

According to the User Manual of your router, you cannot configure keys and certificates to establish an encrypted connection to it.


The "Authentication Required" window that you included along with "Your connection to this site is not private" warning comes from your browser which assumes you are connecting to a regular website. As the router requests login credentials over an unencrypted connection, browser displays the warning.

If an HTTPS connection was established between the browser and the website has been established, browsers do not display this warning. This however requires a working PKI. Website presents a certificate and browser cryptographically verifies its authenticity proving that you were indeed connected to the site displayed in the address field.

This would be impractical when setting up a new router. Even if a device generated a new certificate, users would be presented with another browser warning (even more "scary" about the certificate not being valid from the PKI "point of view").


Some more advanced routers will allow you to later add keys and certificates.

With your model, from the moment of factory reset, you are protected only with WiFi encryption (the password is printed on a label attached to your router, see page 11). In short for a customer-grade router: your neighbour will not be able to learn the password you set and type in your browser.

techraf
  • 9,149
  • 11
  • 44
  • 62