Network Privacy

[II N3MES1S II]

I would like to know if it is possible and if so would like to see this idea implemented.

I would like to hide web traffic from lets say device A from device B so they can not see any visited sites device A goes to even though they are in the same network.

[Netduma Fraser]

Could you explain how they would be viewing each others traffic in the first place? Then we have a use case and can figure out the best solution.

[II N3MES1S II]

Lets say you have a guest or an unwanted guest on your network, if they know what they are doing they can spy on all the sites a device goes to.

So I would like to block websites being viewed by device A from device B or B-Z

[iMoD1998]

That would only affect websites that don't support HTTPS/SSL ( dont have the green padlock ).

However, even though DUMAOS already has support for SSL on the router for the admin page its not exactly fully functional on things like chrome because of problems with certificates locally i suspect.

@Netduma Fraser any ideas if this is planned to get updated because right not its pretty simple to sniff passwords when you are on the network.

[iMoD1998]

This risk is also further amplified by the fact you have to constantly relog in to the admin page so it could be even easier to steal credentials.

[II N3MES1S II]

Aside from HTTPS/SSL if anyone is on the wifi network either by you giving them the password or them brute forcing their way in.

It is a privacy issue and they can see the very domain you are looking at, so to block internally other devices in the network from seeing domains that Device A goes to.

[II N3MES1S II]

8 minutes ago, iMoD1998 said:

This risk is also further amplified by the fact you have to constantly relog in to the admin page so it could be even easier to steal credentials.

That should only happen once after you close your browser, if you sign in and do not close the browser but close the tab, you can still get in without the password.

This is actually bad and the way you are a describing it, that you always have to enter the login information is actually better unless they are playing MITM

[iMoD1998]

4 minutes ago, II N3MES1S II said:

Aside from HTTPS/SSL if anyone is on the wifi network either by you giving them the password or them brute forcing their way in.

It is a privacy issue and they can see the very domain you are looking at, so to block internally other devices in the network from seeing domains that Device A goes to.

There isn't a good way of preventing this, there is only SSL and secure DNS that prevents this. If secured with SSL they can see the IP you are communicating with but not the content or location on the site.

A workaround would be to separate your WiFi networks using the guest network feature with a password. This would prevent them from sniffing other peoples traffic if you use a different password/SSID as the encryption for WPA would change only allowing them to monitor guests.

 

5 minutes ago, II N3MES1S II said:

That should only happen once after you close your browser, if you sign in and do not close the browser but close the tab, you can still get in without the password.

This is actually bad and the way you are a describing it, that you always have to enter the login information is actually better unless they are playing MITM

For me even when leaving the tab open it requests me to sign in again after like 30 mins.

[Netduma Fraser]

Thanks guys, will pass it onto the team to look into.

[II N3MES1S II]

Yea I know I can set up the guest wifi but I also mentioned an unwanted user in the network.

Even so, I do not want anyone seeing the ips my device visits.

One quick search of the ip and you can get the content easily.

That is actually good that it asks for the login creds every 30

[iMoD1998]

Thanks @Netduma Fraser, if I can also ask one more thing, do you know if there are any plans on adding secure DNS/DNS over HTTPS. 

Pretty sure this is already supported by openwrt.

[iMoD1998]

1 minute ago, II N3MES1S II said:

Yea I know I can set up the guest wifi but I also mentioned an unwanted user in the network.

Even so, I do not want anyone seeing the ips my device visits.

One quick search of the ip and you can get the content easily.

Not necessarily, if you go via things like cloudflare first it would be pretty impossible to see the exact IP you are going to but yes for the majority of sites this isn't the case.

A VPN would also be a workaround I guess as you're not directly communicating with the IP you want to talk to and its also encrypted but you add extra latency and limited bandwidth.

Wireguard VPNs however have shown better results when it comes to latency so that could also be a viable option.

[II N3MES1S II]

8 minutes ago, iMoD1998 said:

Not necessarily, if you go via things like cloudflare first it would be pretty impossible to see the exact IP you are going to but yes for the majority of sites this isn't the case.

A VPN would also be a workaround I guess as you're not directly communicating with the IP you want to talk to and its also encrypted but you add extra latency and limited bandwidth.

Wireguard VPNs however have shown better results when it comes to latency so that could also be a viable option.

Without using a VPN I would like to internally block domain/ip sniffers that are on the wifi network with or without me knowing.

So prevent any wifi users from seeing or sniffing domain/ip searches from a said device.

[iMoD1998]

6 minutes ago, II N3MES1S II said:

Without using a VPN I would like to internally block domain/ip sniffers that are on the wifi network with or without me knowing.

So prevent any wifi users from seeing or sniffing domain/ip searches from a said device.

Don't think there are many solutions to this problem without it getting complicated or using enterprise solutions, the best bet right not is to have a strong WiFi password and create a separate guest one for people you don't trust.

WiFi password using WPA are very hard to brute force if its just long amount of characters and random letters.

A good example of password/cracking speed.

https://forums.hak5.org/topic/39403-table-of-wifi-password-standards/

Then to remember this or to make entering this easier you can use a QR code generator and print it out or something to quickly add more devices easier. 

This way you can guarantee that no one is on your wireless network or is there without you knowing.

The only way I can think past this is to directly connect with ethernet which is unlikely without you knowing.

[II N3MES1S II]

1 minute ago, iMoD1998 said:

Don't think there are many solutions to this problem without it getting complicated or using enterprise solutions, the best bet right not is to have a strong WiFi password and create a separate guest one for people you don't trust.

WiFi password using WPA are very hard to brute force if its just long amount of characters and random letters.

A good example of password/cracking speed.

https://forums.hak5.org/topic/39403-table-of-wifi-password-standards/

Then to remember this or to make entering this easier you can use a QR code generator and print it out or something to quickly add more devices easier. 

This way you can guarantee that no one is on your wireless network or is there without you knowing.

The only way I can think past this is to directly connect with ethernet which is unlikely without you knowing.

All sounds about right for now but would love to see some magic done and it implemented.

 

[Netduma Fraser]

42 minutes ago, iMoD1998 said:

Thanks @Netduma Fraser, if I can also ask one more thing, do you know if there are any plans on adding secure DNS/DNS over HTTPS. 

Pretty sure this is already supported by openwrt.

I haven't seen anything in our system so I'll go ahead and request that for you.

[iMoD1998]

Thanks @Netduma Fraser

[Newfie]

12 hours ago, II N3MES1S II said:

Aside from HTTPS/SSL if anyone is on the wifi network either by you giving them the password or them brute forcing their way in.

It is a privacy issue and they can see the very domain you are looking at, so to block internally other devices in the network from seeing domains that Device A goes to.

Brute force??

if you have a good password there’s no chance they will get in, Netgear are part of BUG and the security side is very strong as long as you use long complex passwords. Yes they have made a few mistakes,  keys in open format or slow to fix known security issues but all router companies have had hiccups in the past. 
PMF is also included so you can’t deauth attack or think about doing some basic naughty stuff like redirecting. PMF though is only on WIFI 6 routers within the netgear range.

the weakest point is security updates when people roll back or installing silly things from sources you don’t know or trust or turning off security functions. 
Yes there are some weak points like UPNP, remote access and so on. I turn off WPS, remote and VoIP Sip and I don’t use any form of DMZ and happily game behind a moderate NAT. 
you also have internal smart devices that may allow some access, remember Philips Hue and the oops we have a flaw so it’s worth making sure any smart devices are up to date. don’t allow devices like Amazon devices to store your login details on their servers, there’s an option to disable this or to remove content. 
The truth is there are many potential security issues using third party devices on your network but in reality it’s a very low chance of experiencing an issue security wise. 
You can also limit your WiFi transmission power, the lower the better as you want to refrain from sending out your signal far beyond your property boundary. Of course no one ever does this but it’s there if you want to use it. 

Domestic routers don’t have the level of complex enterprise equipment that offer internal security and monitoring which tends to be expensive on the licence side. 

 

[Guest Killhippie]

Honestly Newfie is right a ASCII 20 digit password would take over a 1000 years to brute force attack, so you are safe. I use full 256 bit encryption with a maximum length password, which would take well over 10,000 years to break. All you need is a guest network and a good password there is no need for anything else as nobody is getting in.

[II N3MES1S II]

6 hours ago, Newfie said:

Brute force??

if you have a good password there’s no chance they will get in, Netgear are part of BUG and the security side is very strong as long as you use long complex passwords. Yes they have made a few mistakes,  keys in open format or slow to fix known security issues but all router companies have had hiccups in the past. 
PMF is also included so you can’t deauth attack or think about doing some basic naughty stuff like redirecting. PMF though is only on WIFI 6 routers within the netgear range.

the weakest point is security updates when people roll back or installing silly things from sources you don’t know or trust or turning off security functions. 
Yes there are some weak points like UPNP, remote access and so on. I turn off WPS, remote and VoIP Sip and I don’t use any form of DMZ and happily game behind a moderate NAT. 
you also have internal smart devices that may allow some access, remember Philips Hue and the oops we have a flaw so it’s worth making sure any smart devices are up to date. don’t allow devices like Amazon devices to store your login details on their servers, there’s an option to disable this or to remove content. 
The truth is there are many potential security issues using third party devices on your network but in reality it’s a very low chance of experiencing an issue security wise. 
You can also limit your WiFi transmission power, the lower the better as you want to refrain from sending out your signal far beyond your property boundary. Of course no one ever does this but it’s there if you want to use it. 

Domestic routers don’t have the level of complex enterprise equipment that offer internal security and monitoring which tends to be expensive on the licence side. 

 

And....of course no one ever changes their default password either.

It can happen with the the right target and attacker and hardware/software combo.

[Newfie]

1 hour ago, II N3MES1S II said:

And....of course no one ever changes their default password either.

It can happen with the the right target and attacker and hardware/software combo.

Sadly No it can’t, if you read Killhippies reply it explains why and if you are daft enough to have a stupid and basic WiFi password then the only one to blame is their own stupidity. Most cases are through stupidity of wanting cracked software, cheats, downloading rubbish, it’s the easiest way onto a network. 
There are plenty of resources out there that explain why long and complex passwords will take longer to crack than your life span. Having DetdumaR2 as a password is asking for it where as below would take a very long time. If it’s possible please link me in on a PM. 
never ever use a name or any word found in a Dictionary. With one below you will never ever get hacked and can sit back and relax.

@=gcNjR#dj@-IMQ*~qK9w%-GI|ewi&9$\,_zv:o2LC:5^'|tI<o-\M.jVDs.$BF

[Guest Killhippie]

20 hours ago, II N3MES1S II said:

And....of course no one ever changes their default password either.

It can happen with the the right target and attacker and hardware/software combo.

Actually the Netgear routers make you change your login password and tell if its not strong enough. If you have a long password Wi-Fi it gives you better password entropy and as I said with a password like Newfie has posted you are looking at tens of thousands of years to brute force attack If someone is downloading dubious material for example a (I'm not implying you are in any what whatsoever)  ISP can tell by the packets what the data is so all the security in the world wont help in that respect. A strong password especially with WPA3 is all you need and a guest account that does not let them have access to the your side of the internet which most routers have these days. Also your browser gives away more about you than you realise, check out the Electric Frontier foundation site to see what I mean.

https://coveryourtracks.eff.org/