Posted: Thu Nov 10, 2022 1:07 Post subject: Default Web access protocol
Since many browsers now by default give warnings or try to block http protocol websites in favor of https protocol would it be possible to have both http and https protocols selected in the Administration/Management tab by default? I know about the self-signed cert issue but IMHO it would make initial set-up a bit easier after doing a nvram erase. _________________ Netgear XR500 - Gateway
R6700 v3 - Station Bridge
Joined: 31 Jul 2021 Posts: 2146 Location: All over YOUR webs
Posted: Thu Nov 10, 2022 9:12 Post subject:
Self signed certificate will always remain, I doubt very very much BS will ever make a Chain certificate to install browsers side to get rid of the stupid, meaningless and inconsequential browser side warnings. Still would require hoops to jump through to import this and install properly.
Browser makers dont care that Routers and NAS other devices with web interfaces exist with self signed certificates and are not regular websites.
Anyway, while most people see this as an issue, its not, its neither less secure nor a security risk.
As for enabling both HTTP/S its doable, though I fail to see how it will make anything easier to setup, it will still be a soup browser side, I know because I have both enabled when I try to connect to HTTP only the browser switches it to HTTPS (and I dont have HTTPS only enabled), so I still have to fight the browser.
And how hard is it to check one box and click apply?
Also I see this becoming an issue, where then users may think they are connecting securely and end up with this not being the case, so for me its a hard pass for ALL users change. No devices out there come with HTTP/S both enabled.
Joined: 31 Jul 2021 Posts: 2146 Location: All over YOUR webs
Posted: Thu Nov 10, 2022 11:28 Post subject:
That's Firefox only, not everyone uses Firefox and not everyone that uses it, including me does that advanced config and we cannot ask people to do it and then we need to come up with browsers specific similar advanced config.
In addition until HTTP is utterly unsupported nothing will change and then not all routers have HTTPS support and many user devices with web interface dont even have HTTPS options. That's a problem for browser/device vendors, and browsers do not cater to any of these specifically, for browser makers a web page is a web page and this is dumb and stupid.
This ultimately is a discussion for this suggestion, all pros and cons should be considered and nothing taken lightly, its easy for people to just think about their specific use cases and annoyances and want a solution thats agreeable with them, and consideration must be taken on a myriad of implications.
Anyway, its a trivial change to enable both by default, but I dont see this working out for the best where everyone is concerned.
I never suggested to enable both, only workaround solutions for https first or redirect and bugzilla https warnings.
As side note, my Netgear EX7500 has both http and https enabled by default with a checkbox for https only mode.
Joined: 31 Jul 2021 Posts: 2146 Location: All over YOUR webs
Posted: Thu Nov 10, 2022 12:24 Post subject:
Sure you didn't but the OP did and for that a considered argument must be made to convince the gatekeeper, that's my only suggestion as ATM I dont see one.
Your suggestion/workaround is helpful for those who decide to do it especially because it has a widespread impact/implications (unless you have a browser just for DD-WRT), sadly, while FF is more flexible, its not flexible enough to exclude per site basis, but it would be nice if it were possible, same with silly certificate warnings for all affected devices, but I dont see any FF devs with a DD-WRT interest to implement either.
On that note, we recently fixed an issue where DD-WRT devices without SSL and thus no HTTPS, still had the HTTPS checkbox and HTTPS remote access options, this is no more.
I dont enable HTTPS only mode on any of my browsers and still have to fight with it to get HTTP connected, except Tor, still many sites out there still only on HTTP.
The only reason why I brought up the http/https suggestion was because I had to fight both Brave and FF browsers a couple of weeks ago when I did an nvram erase. I had forgotten that the current trend (rightfully so, https has unicorn dust ) is to push for https. Therefore, I had to hunt through my browser's setting to find where to shut off https only before I could do my initial log-in to my router. It was not a big issue, just a PITA. I've gotten so used to jumping around the self-cert warning it is no big deal. My suggestion, at this point, is purely about convenience, but maybe later on as more browsers move to https only, it might be required. _________________ Netgear XR500 - Gateway
R6700 v3 - Station Bridge
Some websites only support HTTP and the connection cannot be upgraded. If HTTPS-Only Mode is enabled and an HTTPS version of a site is not available, you will see a Secure Connection Not Available page:
f you decide to turn the toggle on, Chrome will automatically “upgrade” any website you try to browse from the HTTP version to HTTPS, if available. Since Chrome already defaults to using HTTPS if you don’t specify http:// or https://, this is essentially limited to links that you may click or times when you manually type in an http:// url into the address bar.
If there isn’t an HTTPS version of a site — whether because the site is outdated, or it’s intentionally disabled as is the case for sites like NeverSSL — Chrome will show an interstitial warning page before reverting back to HTTP.
This is current Firefox Quantum, and the default settings here are out-of-the-box and have never been touched since this "feature" was added to Firefox. It has also creeped into FF ESR, but has not been forced on Waterfox Classic or Pale Moon that I'm aware of or last checked. You boys can all break out yours for comparison and show me the "money", I'm feeling thirsty and salty <lol>
firefoxquantumhttpsonly.png
Description:
Filesize:
74.52 KB
Viewed:
1302 Time(s)
_________________ "The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost
"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Mon Nov 14, 2022 19:13 Post subject:
the-joker wrote:
sadly, while FF is more flexible, its not flexible enough to exclude per site basis
If you are talking about https-only mode, FF has had a Manage Exceptions button in settings for that for years. Recently I moved from vanilla FF to LibreWolf (librewolf.net), a tightened-down FF derivative, and it allows these exceptions to https-only as well. So I keep dd-wrt set to https, but I keep 192.168.1.1 (which my configs never use) as an exception so that it will use http, and nvram erase then causes no issues. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.