How to securely login to gateway

dangermikeb · October 25, 2023, 10:40am

Issue: When I login to my 7268C gateway via IP address, e.g. 192.168.86.21, the browser indicates that it is not a secure connection. How do I make the login use https so that when I enter the password it isn’t sent in the clear?

Setup: I’ve got a RAK7268C connected to my home wifi network. By looking at the devices connected to my wifi router, I can determine the IP address of the 7268C gateway. I then enter that IP address in the browser which takes me to the 7268C login screen, where I enter the assigned password for my 7268C.

Since the browser indicates that the connection isn’t secure, isn’t my password being sent in the clear. If this is true, is there a setting I can enable on the 7268C that will make it so that I can securely login to the 7268?

Server:

Details:
When I look in the online product manual at the URL below, it indicates that the login mechanism is http rather than https.

Nikola · October 26, 2023, 9:24am

Hello @dangermikeb ,

Is that V1 or V2 gateway? Also, may I ask what is your use case scenario/security concern?

Best Regards,
Nikola Semov

dangermikeb · October 26, 2023, 10:32am

Hi @Nikola ,
It’s a V2 gateway. The reason I asked this question is because I was thinking that if someone was monitoring IP traffic on my wifi network at the time I logged in to the gateway, that they would be able to see the password that I used to login to the gateway.

What got me to thinking about this was an incident that happened last week when my business partner was setting up a gateway for deployment at a customer site. In setting up the gateway he had forgotten to enable encryption when configuring the Wireless Access Point. I noticed this when I happened to scan WiFi networks and saw that the gateway was broadcasting an open WiFi network. I helped him to enable WPA2-PSK, but in doing so, noticed that the login to the gateway to get to the Wireless Access Point settings wasn’t occurring over a secure connection.

velev · October 26, 2023, 11:43am

Hi @dangermikeb The used certificate in the WisGateOS is self-signed from RAK. As not issued from a trusted CA the browsers automatically rejects it. Even if the certificate is self-signed, HTTPS still provides encryption. So, when you accept the certificate in your browser (typically there’s an “advanced” or “proceed anyway” option), your connection will still be encrypted and secure against eavesdropping.

dangermikeb · October 27, 2023, 11:31am

thank you for the explanation, Todor.

system · November 6, 2023, 11:32am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.