Community discussions

MikroTik App
 
hansdampf
just joined
Topic Author
Posts: 3
Joined: Fri Jul 24, 2020 2:18 pm

feature request - https for webui

Fri Jul 24, 2020 2:34 pm

Dear MikroTik team,

I recently bought a MikroTik CRS317-1G-16S+RM and I am very happy with the device. Because Router OS was a little overwhealming I switched to SwOS which is great. The only thing I am missing is https for the webui. Is there a possibility that you port this feature from Router OS to switch OS as far as I understood Router OS has this feature?

Thanks in advance

hansdampf :-)
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 10228
Joined: Thu Mar 03, 2016 10:23 pm

Re: feature request - https for webui

Fri Jul 24, 2020 9:11 pm

Not trying to downplay your request, but: what is your use case where plain http isn't good enough?
 
User avatar
Paternot
Forum Veteran
Forum Veteran
Posts: 948
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: feature request - https for webui

Fri Jul 24, 2020 9:23 pm

Not trying to downplay your request, but: what is your use case where plain http isn't good enough?
It is quite reasonably to want this feature. I don't need it - my switches (and the networks) are all under my physical control. But you can't always have this. If the switch he manages is behind a single third part router, he already needs HTTPS.

Or a CRS and VPN - but this is RoS only, and we are talking SwOS.
 
hansdampf
just joined
Topic Author
Posts: 3
Joined: Fri Jul 24, 2020 2:18 pm

Re: feature request - https for webui

Fri Jul 24, 2020 10:32 pm

Not trying to downplay your request, but: what is your use case where plain http isn't good enough?
Dear mkx,

thank you for your question. I am not requesting this because http isn't good enough. Besides the fact that most browsers complain about plan authentication via http it is because of security considerations. If a computer in my network would get compromised I want as little attacking vectors as possible. All my webapplications are served via https. Logins to servers are all secured via ssh. LDAP login is also secured via ldaps and so on... So it would be great to have this feature.

Thanks for supporting my request.
 
killersoft
Member Candidate
Member Candidate
Posts: 229
Joined: Mon Apr 11, 2011 2:34 pm
Location: Victoria, Australia

Re: feature request - https for webui

Tue Aug 04, 2020 4:39 pm

Why not SSH to the unit (better than web based config)?
You could go back to RouterOS(The switch menu is there, if you need pure wire-speed config ) and use Winbox or SSH for secure logging in.
RouterOS supports HTTPS too.
https://wiki.mikrotik.com/wiki/Manual:W ... ling_HTTPS
 
User avatar
Paternot
Forum Veteran
Forum Veteran
Posts: 948
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: feature request - https for webui

Tue Aug 04, 2020 7:31 pm

Why not SSH to the unit (better than web based config)?
Because not all units can run RoS. The CRS can - the CSS no. I have two CSS326, and they can't run RoS. There is a version that can - the CRS326.
 
jjoelc
just joined
Posts: 8
Joined: Mon Oct 05, 2015 9:14 pm

Re: feature request - https for webui

Wed Sep 15, 2021 7:16 pm

Not trying to downplay your request, but: what is your use case where plain http isn't good enough?
The same use case where telnet isn't good enough.

Quite simply, having any kind of credentials, or any kind of config info being passed around the network unencrypted is a non-starter. I'm a big fan of Mikrotik routers, and use them quite regularly when appropriate. But the lack of any secure method of configuration is literally the reason I have never looked at the switches outside of a lab setting. Auditors would tear me a new one for allowing that on the network, and rightfully so. I can't even install these at car dealerships (and if any of you have done work for car dealers, you know what a low bar that is!)

No matter what features or what price point (and Mikrotik is good-to-great in both those categories, generally) no https or SSH means no sale. Sorry.

(That said, I *have* been very impressed with the progress made in the switching since Mikrotik released their first few dedicated switches. Those first few were pretty rough around the edges, software- and feature-wise. So great work on that part. I just don't understand how a secure channel for any kind of configuration isn't the default these days, much less not even an option.)
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11495
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: feature request - https for webui

Wed Sep 15, 2021 7:39 pm

The switch support already SSH, HTTPS on RouterOS, simply use already included RouterOS instead of SwOS...
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1382
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: feature request - https for webui

Thu Sep 16, 2021 8:05 am

As has been already stated in this thread - RouterOS can NOT be used on CSS devices.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11495
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: feature request - https for webui

Thu Sep 16, 2021 5:56 pm

@Paternot is not the OP, and the op do not have one CSS but one CRS317-1G-16S+RM
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1382
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: feature request - https for webui

Thu Sep 16, 2021 6:03 pm

No he is not the OP, but the thread is still valid. SwitchOS does not support any form of secure connectivity - AND IT SHOULD!
 
User avatar
lawe
just joined
Posts: 17
Joined: Fri Jun 04, 2021 12:06 am
Contact:

Re: feature request - https for webui

Tue Sep 21, 2021 12:19 pm

I would also like to have this feature in SwOS. That should be common standard nowadays.
 
invsblduck
just joined
Posts: 4
Joined: Tue Oct 26, 2021 2:52 am

Re: feature request - https for webui

Tue Oct 26, 2021 3:18 am

Definitely shocking to login via HTTP basic auth. Just unboxed my CSS610 and can't believe it. If it were opensource, the community would have already added basic TLS support to the web server because otherwise the software can't really be taken seriously, IMO. Which is crazy because the overall product seems like such a feat of advanced programming and electrical engineering. But hey, the price is right. :mrgreen:

( Are the CPU and RAM in the CSS610 too limited to accommodate TLS termination, or similar? )
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11495
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: feature request - https for webui

Thu Oct 28, 2021 5:58 pm

You're just fooled by cryptography, look for Zuchongzhi 2.1 and Jiuzhang 2.0, nothing is secure now, devices 10 million times faster than traditional "supercomputers" can decrypt anyting on some minutes or seconds, or less...
 
invsblduck
just joined
Posts: 4
Joined: Tue Oct 26, 2021 2:52 am

Re: feature request - https for webui

Thu Oct 28, 2021 7:19 pm

You're just fooled by cryptography

By this logic, you don't believe in putting locks on doors or windows because there are big enough tools in the world to defeat these common protections. So, I wonder: Does rextended lock his doors when he leaves home? Don't be a hypocrite, now...tell the truth. :lol:

I'm well acquainted with the long history and nature of cryptanalysis, as well as the fallacy of putting a "huge padlock on a small and rickety fence." I'm not dealing with savvy targeted attackers -- especially not state-level ones with access to resources like those of your imagination -- so I'd want TLS like any reasonable person who locks their doors at night. Security in layers is good. :) Thanks.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 10228
Joined: Thu Mar 03, 2016 10:23 pm

Re: feature request - https for webui

Thu Oct 28, 2021 7:31 pm

For starters I wouldn't expose simple managed switch (like CSS) to internet at large. If one can not trust their LAN, then most (if not alI) managed switches support "management VLAN". It's up to router/firewall to filter access to management VLAN at large. And if paranoid enough, management workstation is not hosted outside management VLAN ... and communications between management VLAN and the rest of the universe (LANs included) is severely limited (if not outright blocked).

So if one is really paranoid, encryption is not even needed. :wink:
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11495
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: feature request - https for webui

Thu Oct 28, 2021 8:08 pm

By this logic, you don't believe in putting locks on doors or windows because there are big enough tools in the world to defeat these common protections. So, I wonder: Does rextended lock his doors when he leaves home? Don't be a hypocrite, now...tell the truth. :lol:

I'm well acquainted with the long history and nature of cryptanalysis, as well as the fallacy of putting a "huge padlock on a small and rickety fence." I'm not dealing with savvy targeted attackers -- especially not state-level ones with access to resources like those of your imagination -- so I'd want TLS like any reasonable person who locks their doors at night. Security in layers is good. :) Thanks.
I have learn how open "standard" door or padlock with some video on youtube...
I have choiced to not buy any "secure" lock because... much nice are the box, much interest go in...
Simply I do not leave anything of some reasonable value inside the house when I go away...

A "simply switch" where can't you put inside any password or username, is completly useless...
There is no effort to enter inside one "useless" switch...

Speaking of the "digital world" I prefer to hide the keyhole than to have a big padlock, and I never treat a TLS connection a secure one, even if it reasonably is.
 
invsblduck
just joined
Posts: 4
Joined: Tue Oct 26, 2021 2:52 am

Re: feature request - https for webui

Thu Oct 28, 2021 9:32 pm

I understand both points above -- they are logical. And it's not worth debating every possibility of ever topology in every environment (e.g., lab vs. prod) against the comfort levels of every different person.

However, I do think it's worth pointing out that when systems are deployed professionally in the industry, there is no defensible case to be made ever that sending secrets in plain text is acceptable. You just won't see it. The world mostly stopped using telnet and rlogin a long time ago, even in switched networks that use microsegmentation to unicast ethernet frames, because it's just common protection against common/unsophisticated thieves. Just like locks on windows. Even if the cipher is flawed, even if the secret is stored in memory in plain text somewhere by a running process, even if the system architecture is flawed, etc (i.e., any stupid old avenue that presents a risk in overall protection of the secret), you will never hear an expert approve transmission of secrets in plain text in the 21st century, even within a mgmt VLAN. That is just not really up for discussion at this point in the game.

(I don't know that any U.S. enterprise is running an ecommerce platform on a CSS610 in production, but the world is a pretty crazy place...so, what do I know. :-))

Nothing is really secure, but that doesn't mean we stop manufacturing cars with door locks just because glass windows defeat the purpose of security -- it's a common feature & expectation this day in age, and it would be a red flag for any manufacturer to say, "Nah, we don't believe in that...it's pointless and everything is futile." (Hence my original question about hardware or cost/benefit in this product line, trying to understand the actual reason from the company.. Not sure if you guys are employees or owners.)
 
User avatar
Paradox
just joined
Posts: 20
Joined: Fri Oct 15, 2021 3:50 pm

Re: feature request - https for webui

Mon Mar 06, 2023 10:09 am

The switch support already SSH, HTTPS on RouterOS, simply use already included RouterOS instead of SwOS...
Funny advice... IMHO SwOS is much simpler and setup is faster for some use cases.
 
User avatar
Paradox
just joined
Posts: 20
Joined: Fri Oct 15, 2021 3:50 pm

Re: feature request - https for webui

Mon Mar 06, 2023 10:31 am

I don't need it - my switches (and the networks) are all under my physical control.
As long as there is no intruder in your network.
Yes, I'm also doing stuff like this, but it's not good security practice anymore: look for Zero Trust.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11495
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: feature request - https for webui

Mon Mar 06, 2023 6:26 pm

User is referring to http.
And who would be this intruder between the computer, and the router connected directly with a network cable?

Malware on your computer also renders https useless.

Your comments to this resurrected thread add nothing new.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 2377
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: feature request - https for webui

Mon Mar 06, 2023 7:09 pm

Maybe this has changed. I recall SwOS doesn't even have a default gateway either. So that limits both the scope of an attack, AND, its usefulness e.g. it's only manageable locally (or via some NAT). e.g. recall not being to use it from different subnets – so the HTTP can't get very far.

Now if they support a default gateway nowadays, then HTTP allows anyone who can use Wireshark in an organization to obtain the password. If you're a one-man shop this isn't a big deal, but in any medium/large organization there is likely policy/RFPs/etc requiring HTTPS.
 
User avatar
Paradox
just joined
Posts: 20
Joined: Fri Oct 15, 2021 3:50 pm

Re: feature request - https for webui

Tue Mar 07, 2023 9:08 am

And who would be this intruder between the computer, and the router connected directly with a network cable?
Apparantly it's called network, because I always have direct connections between computer and switch :roll: :-P
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11495
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: feature request - https for webui

Tue Mar 07, 2023 10:09 am

And who would be this intruder between the computer, and the router connected directly with a network cable?
Apparantly it's called network, because I always have direct connections between computer and switch :roll: :-P
:?:

Is it difficult to understand the concept of "directly connected"? Or should it be supplemented with dozens of useless examples and frills?
No need to climb mirrors.

(P.S.: For router I mean RouterBOARD, a generic hardware produced from MikroTik regardless the specific model name.)
 
invsblduck
just joined
Posts: 4
Joined: Tue Oct 26, 2021 2:52 am

Re: feature request - https for webui

Thu Mar 09, 2023 8:35 am

Seeing how you use the networking term "router" (which connects separate networks) to mean RouterBOARD: Yes, examples would be in order to convey basic concepts and communicate effectively, yet you aren't interested in being reasoned with and you've won your game of killing the thread.
 
barkas
Member Candidate
Member Candidate
Posts: 260
Joined: Sun Sep 25, 2011 10:51 pm

Re: feature request - https for webui

Sun May 07, 2023 11:28 pm

It's probably useless to argue this. If you can't see it yourself, I can't make you.

Obviously any use of login credentials regardless of the network topology it is used in must always be encrypted.
 
User avatar
BrianHiggins
Long time Member
Long time Member
Posts: 694
Joined: Mon Jan 16, 2006 6:07 am
Location: Norwalk, CT
Contact:

Re: feature request - https for webui

Mon May 08, 2023 10:57 pm

FYI, I very recently participated in a PCI compliance audit for someone, and in order for their business to continue to process customer credit cards, all web managed network devices on their LAN, like switches, are required to restrict web management to HTTPS only (and any use of telnet to manage a device is strictly prohibited). Plain text logins are now considered a compliance failure no matter what protocol they use, even over your own LAN.
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1382
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: feature request - https for webui

Mon May 08, 2023 11:10 pm

FYI, I very recently participated in a PCI compliance audit for someone, and in order for their business to continue to process customer credit cards, all web managed network devices on their LAN, like switches, are required to restrict web management to HTTPS only (and any use of telnet to manage a device is strictly prohibited). Plain text logins are now considered a compliance failure no matter what protocol they use, even over your own LAN.
Good point!
I have been required to go through the PCI training (even though my job has nothing to do it) for several years. Non-encrypted webFig for RouterOS would also be affected. At least with RouterOS, we have a choice.

Listen up Mikrotik! We need HTTPS for SwitchOS...
 
t04s
just joined
Posts: 24
Joined: Thu Mar 17, 2022 6:36 pm

Re: feature request - https for webui

Fri Jun 02, 2023 8:36 pm

Landed here because I too was surprise SwOS doesn't have HTTPS support. Using a CRS-328.

Also surprising to read some of the views that hand-wave away the security implications. I wouldn't expect anyone serious about security to take such a position, and as a vendor of networking equipment I would imagine security to be one of the top priorities.

As has been stated, security in depth generally is the best approach to infosec. Most organisations are likely to expect authentication and data confidentiality on their networks. And sure, one can have expectations and assumptions of what is or should be secure, but breaches happen which is why we generally layer defenses, and reduce attack surface. This is ripe for MITM attacks or to encourage bad practice like not validating/checking the connection similar to those that regularly click through TLS warnings for self-signed certs.

For any org that needs to meet PCI compliance, has data protection requirements, has a respectable security policy, or does any kind of pen testing/threat modelling - this sort of thing isn't going to cut it and this one is a low bar to hit.

Recommendations to just use ROS instead, are also unhelpful. That's not the point of the OP - it's specifically about HTTPS support in SwOS. Customers are entitled to have their own reasons for using it and there should be a reasonable expectation be able to use it securely. But still it's a good point, because the fact ROS supports HTTPS is an implicit acknowledgement by Mikrotik that it's a requirement to have sufficient security guarantees, or else it wouldn't be included there either.

Thanks,
t04s
 
tdw
Forum Guru
Forum Guru
Posts: 1727
Joined: Sat May 05, 2018 11:55 am

Re: feature request - https for webui

Mon Jun 05, 2023 8:36 pm

SWos does not have much functionality. To support HTTPS it would need crypto, time, a filesystem, a mechanism to upload certificates, etc. I expect that a 'RouterOS lite' which has enough functionality would be easier than trying to retrofit SWos.

And make sure you keep any downloaded configuration files secure - the password is an easily read hex representation of the ASCII string.

Who is online

Users browsing this forum: No registered users and 0 guests