Security: WIFI passwords are exposed in admin


Glad to have received my router.

However, I found the following concerning given that the goal of the router is to provide security. I would expect a simple security review to avoid design issues like the one below.

Steps (using Chrome):

  • login to the Foris Configuration Interface
  • click WI-FI to go to
  • the wifi password fields hide the passwords characters (good)
  • right click password field, choose Inspect
  • the wifi password is clearly visible in the HTML.


  1. WIFI and other password should never be exposed from the router.
  2. This information is sent via the network over HTTP.

In my opinion, the fact the you need to login to the Foris site does not address 2) and should not be an excuse for 1)

1 Like
  1. you can use HTTPS for Foris and LuCI

Which should be standard and be enforced. It’s really a shame that https is not the standard.

1 Like

Most the time for most users, there is no need to use HTTPS in local lan, as it take additional CPU resource. If someone need to use HTTPS for local admin web site, then he can setup it by himself.
Also don’t forget that when there would be default HTTPS the cert would be probably selfsigned, then the users would be complain that their browser say “aaaaaa INSECURE aaaaa DONT TRUST aaaaa”

Can you propose any solution, especially for problem no. 2?

I can imagine there could be a Let’s Encrypt client built in to obtain a trusted certificate for the HTTPS on the first run, however, which domain name should it use? What if router is not accessible from the Internet? Using wired connection from your computer directly to the router gives very small attack surface even without encryption.

Issue number 1 I don’t see as any issue at all. As a priveleged user, you can reset Wi-Fi password any time, you can read it from the config files or even directly from router memory. Password visibility in the router setup allows you, on the other hand, to make use of the QR codes for quick Wi-Fi connection (they also contain cleartext password, in case you didn’t spotted that).