5

There's something I don't understand. Possibly I have some misunderstanding about how HTTPS works.

I heard that some wireless routers allow the user to access the administration page with HTTPS (which is a good idea because then you can configure securely over wireless.) When this is done, how is the identity of the router established? I mean, from what I understand, normal secure websites (Like https://www.paypal.com/) have a secret private key, so that when the client's computer sees the corresponding public key, he can be sure he's really communicating with PayPal. (Did I get that right up to here?)

But how can a router store a private key? I mean, wouldn't black-hat hardware hackers be able to physically open it up, obtain the private key, and then do a man-in-the-middle attack? (Might not be a practical attack in this scenario, I know.)

Ram Rachum
  • 5,231
  • 7
  • 34
  • 46
  • 1
    If someone goes so far as to disassemble your router and copy its configuration without leaving a trace, you've got bigger problems. – user1686 Nov 22 '10 at 12:53
  • But perhaps if all routers of the same model share the same key, then he could have disassembled someone else's router and use the key to hack mine. – Ram Rachum Nov 23 '10 at 08:38
  • Mind you, the key in question is not something physical, but simply data. :-) – unixtippse Nov 25 '10 at 06:10

2 Answers2

5

It use a so-name "self signed certificate", yes, it can be insecure. BUT if you "permanently accept" it when you are physical wired to you router, after that, you can always trust your router as long as it don't want to set another certificate.

shellholic
  • 1,295
  • 9
  • 11
0

Better network hardware allows you to upload a new private cert such that you can even buy a real one from a recognized cert authority. Even if you don't do that, you can generate a self-signed cert from a CA that you run and authorize in your domain.

JGurtz
  • 523
  • 5
  • 13