Hacker News new | ask | show | jobs
by Johnny555 1781 days ago
manually overriding this configuration usually demonstrates a sufficient enough understanding that the default credentials have likely also been changed

I don't think that's a reasonable assumption at all -- the router should ensure that the admin cred has been set to a (reasonably secure) password. Just because someone read on a web page that they should enable remote admin doesn't mean that they understand the risk.

And it should warn that exposing the admin interface to the internet may make the router more vulnerable to remote exploits - basically the same type warning that browsers show for a bad SSL cert should be shown for insecure router configs - tell the user that it's insecure and is a really bad idea before they do it.
1 comments
Alupis 1781 days ago
How do you know this router doesn't already do that?

You're making some wild assumptions here.

Even your basic free Comcast router comes with sane defaults, and tons of warnings for every configuration change.

Here's the user manual for the TP-Link AC2300 - The Archer C7 found in the google results this post links to:

https://static.tp-link.com/2019/201912/20191231/7106508598_A...

Step 2 forces the default password to be changed. There is no way around that step.

None of your assumptions are true here.

link
Johnny555 1781 days ago
Here's another TP-link manual:

https://www.tp-link.com/us/support/faq/66/

1. Open the web browser and in the address bar type in: http://192.168.1.1

2. Type the username and password in the login page. They are both admin by default.

3. Click Security->Remote Management on the left side

4. To enable this function, please change the Remote Management IP address from 0.0.0.0 to a specific authorized remote IP address.

Here's the warning they give at the bottom of the manual:

Few people read the entire manual, if they read it at all, they read enough to do what they want, and fewer still know what "Use this with caution" means. I don't even know what it means. I typed 255.255.255.255 carefully, is that sufficient caution?

Type 255.255.255.255 Remote Management IP Address means that you can connect to the router remotely from anywhere via Internet, this is not recommended and please use it with caution

We suggest changing the default log in Username and Password if the Remote Management feature is enabled, especially if you typed 255.255.255.255 as the Remote Management IP address.

link
Alupis 1781 days ago
That link isn't from the routers this post links to (specifically Archer C7 and C9 routers).

And, your link is old, to say the least. That screenshot is from the Windows XP era.

You're trying to lampoon TP-Link for things that simply are not true anymore, nor have been for a long while.

I'll repeat again - the defaults on these routers is to prohibit WAN access and they force a password change at setup. What more are you complaining about?

link
Johnny555 1781 days ago
Also from the page I linked to:

Updated 04-18-2019 07:10:55 AM

This Article Applies to: TL-WR841N (and a couple dozen others).

You can buy a TL-WR841N today for $20. It was released in 2015, so it may be an "old" router, but old routers never die, they just get cheaper.

link
Alupis 1781 days ago
OK so what? Nothing you've stated here applies to the original post. You're fabricating some outrage about nothing relevant. The original post shows Archer C7 and C9 routers...
link
Johnny555 1781 days ago
What original post? It was a google search that reveals some router's remote admin page, that search doesn't mention any specific router brand or model.

But regardless, I was responding specifically to your comment:

manually overriding this configuration usually demonstrates a sufficient enough understanding that the default credentials have likely also been changed

(That's why I quoted it in my reply)

And the point I was trying to make is that merely being able to override the default remote admin setting does not ensure that the user has any idea what the ramifications are. I'm surprised you're even arguing against that.

link
kelnos 1781 days ago
> Step 2 forces the default password to be changed. There is no way around that step.

Sure, and you can change that password to "foobar" or whatever bad password you want. And I bet that login page doesn't have any rate limiting or a lockout after too many failed logins.

Fortunately, though, I don't think there are any of these that enable remote admin by default, so the owner would need to do that explicitly. Hopefully they've paired that with a strong password. Even then, I still wouldn't advise anyone actually doing this...

(Your manual link is broken; it takes me to a page that just links to TP-Links main marketing website.)

link