EnvironmentRouter: Linksys EA9500
Hardware Version: 1.1
The router has a default IPv4 address of 192.168.100.1. I connected the router to my laptop, and went to https://192.168.100.1 and after a brief wait for the browser to timeout with
I dropped the attempt to use a secure connection by changing from HTTPS to HTTP and was presented with the login screen. The lack of security out of the box is sad, but not a deal breaker. As I went through the configuration, I found a checkbox to enable HTTPS for administration. There is also a checkbox for HTTP which is checked, but grayed out to prevent it from being deselected. It's good that they support secure connections, but not great that you can't disable HTTP.
When the basic network setup was complete, I shut down the router and replaced my old existing router with the new unit. This time I was able to use HTTPS... almost.
As most will have noticed, the newest browsers are beginning to provide feedback when a connection may not be secure. Clicking on the warning symbol in the URL box will bring up information about the connection and provide feedback on why the warning has appeared.From here, we can select the "View Certificate" button and get more information.
The browser is looking out for me. In order to get to the site, I need to click on Advanced, and then Proceed. Kind of a pain for every time administration needs to be performed. The reason for this becomes quickly apparent when we drill in using the warning icon.
Well, there you go then... the certificate expired in 2010, almost exactly 6 years ago from today (10/03/2016). What would possess them to use a 6 year old certificate in a brand new product?
Okay, this goes beyond stupid. The certificate was issued by and to ut610n when Linksys was owned by CISCO! Can someone explain why Linksys, now owned by Belkin, is using a Cisco certificate? If you are not going to use an authoritative certificate issued by a trusted authority, is there some reason that you can't issue a new self signed certificate that is at least valid for the next 5 years? How lazy can you be?
The login screen has two versions, There is a local login and a Smart Wi-Fi login.
The local login shown here, only requires a password. If you are setting up for the first time, it will be the default. If you have logged in at least once, you should have been prompted to change the password.
The Smart Wi-Fi login utilizes a cloud account and is what allows you to manage the router using a smart device app (iOS or Android). What isn't immediately clear, is that the Smart Wi-Fi account is different than your Linksys account.
It took messing with this, and a support call before I got this resolved (by creating the other account). I will not lay blame with Linksys for this, but I will suggest some obvious text letting us know that this is not the Linksys web account.
Another Security Concern
I do have a concern over their password policy. This account is accessible from the Internet, and yet their password policy is very limiting. Eight characters or more isn't bad, but I'm very disappointed that non-alphanumeric characters are not allowed.
In Interface Speed TestThe administration interface has a link that pops up a speed test. This is a nice idea that saves a few clicks. Unfortunately, it runs into an issue with the secure connection.
Because I am using the secure browser connection, the browser has a fit when the link attempts to pop up a window which only uses HTTP. The result is a Speed Test that looks like this...
The windows pops up, but it will not return the insecure page.
Smart Wi-Fi Application
The Smart Wi-Fi application actually seems to be well written. It looks like I can adjust any setting from my phone, no matter where I am. I could see this being useful if a parent wanted to update parental controls, allowing or preventing access by time and/or device. Nothing like messing with the kids without them knowing. I personally don't have any need for this (yet), and the best feature for me at this point, is an alert when my Internet connection drops. I'm assuming this works, but I haven't tested it yet. What it does suggest, is an active connection from the Linksys servers to my router, and I once again have to wonder just how secure this is? So far, I am not impressed with the security on the router itself. I will be digging into this as time permits and may ultimately look into disconnecting the router from the cloud engine.