When I use Firefox to access my Linksys WRT54GL router with DD-WRT v23SP2 firmware, I receive the following dialog box:
A user name and password are being requested by https://192.168.1.1. The site says: "xxxxxx"
Where xxxxxx is the router name and there are text boxes for the user name and password.
Konqueror displays a similar dialog box with
Site: xxxxxx at 192.168.1.1.
I expect the dialog boxes but the box message bothers me. A little security through obscurity would be nice here. Why display the router name. Is there a way to prevent this?
I have remote web GUI management and ssh access disabled. Therefore anybody outside my LAN should never see this dialog box. People inside the LAN are considered trusted, but even if not, they cannot obtain access to the router web pages without a user name and password. I also can restrict access to the router web pages from only certain IP addresses within my subnet. Yet anybody inside the LAN who accesses that IP address sees the router name in the dialog box.
There are two names associated with the router. The DD-WRT firmware refers to these as
router name and
host name. The former is represented in nvram by router_name while the latter is represented by wan_hostname.
The latter is potentially confusing because traditionally, the host name is the name of a computer and contained in the /etc/HOSTNAME configuration file. Not so with the router as this is a name used when requested or required by the ISP. In a typical GNU/Linux box, this same "host name" can be passed to the dhcp client daemon with the -h option. Regardless, if not required or requested, then I would think spoofing with any bogus and misleading name is a good idea.
Still, these browser dialog boxes seem to provide at least some information that unprivileged users should not see. Or should they?
Comments?