WebInterface Encryption SSL

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

WebInterface Encryption SSL

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
WebInterface Encryption SSL
WebInterface Encryption SSL
2017-06-26 17:12:19
Model :

Hardware Version :

Firmware Version :

ISP :

Hi there,

I have purchased a T2600G-28TS Managed Switch.

I want to enable SSL for the Webinterface. At this point enabling the WebInterface is considered as totally broken and insecure.

For the Protocol there is only SSLv3/TLSv1 which is basically the same protocol. At best this can be called outdated if not a security risk. I am missing TLSv1.1 and TLSv2 and TLSv2+
For the Cipher there is only RC4, DES and TripleDES with MD5 and SHA available. This is considered to be totally broken for a decade or longer.

RC4 is prohibited from IETF for TLSv1 see RFC7465
DES was disallowed in 1999 and replaced by 3DES
NIST considers 3DES as low as 80 Bits security key length.


MD5 is insecure and is known as craced since 2004.
SHA/SHA1 is also known as broken.

Please remove all these borked ciphers, message digest and protocols and replace with an up to date version.

And replace in the next firmware update with cipherstings containing:
RSA, AES128, AES256, SHA256, SHA3xx, TLS1.1, TLS1.2, TLS1.2+, DHE, ECDHE, Chacha20, poly1305


best regards


tags: ssl, aes, des, 3des, md5, sha, sha1, tls, cipherstring, cipher, message digest, des, security, webinterface, webgui
  0      
  0      
#1
Options
5 Reply
Re:WebInterface Encryption SSL
2017-06-27 22:55:42
You're right, but you should open a ticket to the TP-Link support rather than posting it in the user's forum. I doubt that TP-Link's engineering is reading here.
༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  0  
  0  
#2
Options
Re:WebInterface Encryption SSL
2017-06-29 00:31:27
thx for the hint

i already did it and received a respond.
my suggestions have been forwarded and i'll receive an answer when there is one available.
  0  
  0  
#3
Options
Re:WebInterface Encryption SSL
2017-06-29 02:57:09
Great, thank you. Hopefully TP-Link will update this in the firmware for other switches like T1600G, too. :)
༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  0  
  0  
#4
Options
Re:WebInterface Encryption SSL
2017-06-29 14:36:44
Hopefully,

to have _ONLY_ RC4/DES/3DES in an productive environment is not sloppy, this is negligently.

In the consumergrade i'd say it's just a throw away product, and should be re-flashed with openWRT as soon as possible to have a working state. But this is called _BUSINESS_

but what i really fear is, if this is just the surface which can be seen and has a bad smell. How is the code/firmware underneath.
  0  
  0  
#5
Options
Re:WebInterface Encryption SSL
2017-06-29 23:51:44
AFAIK, OpenWRT does not actively support switches except the ones built into WiFi routers. But you can download the core source code for the T2600G here if you want see for yourself what SW is running: http://static.tp-link.com/resources/gpl/t2600g-28ts_2.0_gpl.tar.gz. At least it is an embedded Linux system, not some crap from Redmont, which unfortunately is also regarded as business-class-type software by some people. :D
༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  0  
  0  
#6
Options