One way that hardware vendors try to make the configuration of a router easier is by instructing users to browse to a domain name rather than an IP address. TP-LINK routers use either tplinklogin.net or tplinkwifi.net.
The image above is the back of an old TP-LINK router, the TL-WR841N, showing the instructions to use tplinklogin.net.
The much newer TP-LINK Archer C9 instructs users, on the back label, to point their web browsers to the other domain, tplinkwifi.net.
No doubt, the use of domain names rather than IP addresses has proven helpful to router owners. For the last few years, the most popular blog I have written here is the one from September 2013, on how to Find the IP address of your home router.
According to Amitay Dan, CEO at Cybermoon, TP-LINK has lost control of the tplinklogin.net domain. Chances are, they forgot to renew it. Dan claims that the domain is now controlled by someone outside of the company, which is easily confirmed with public WHOIS data. While TP-LINK clearly owns tplinkwifi.net, the domain tplinklogin.net is owned by an anonymous entity and seems to be for sale.
Instead of buying back the domain, Dan claims that TP-LINK is updating their manuals to, I assume, remove references to tplinklogin.net.
I checked the TP-LINK website and found How do I log into the web-based Utility (Management Page) of TP-LINK wireless router? which says to use either an IP address or the domain they still own (tplinkwifi.net).
But a couple other documentation notes still promote the use of tplinklogin.net (How to configure Access Control on TP-LINK Wireless N Router? and How do I change the administrative username or password of TP-LINK Wireless Routers?).
Interestingly, the Quick Installation Guide for the TL-WR841N now says to use the good domain (tplinkwifi.net) while we saw above that the label on the back of the router says to use the bad one (tplinklogin.net).
My research found another problematic domain, tplinkextender.net. As the name implies, this one is used on TP-LINK Wi-Fi extenders. A check of the WHOIS information for tplinkextender.net shows that it too, is owned by an anonymous entity and is currently for sale.
As I write this (July 4th) the domain still owned by TP-LINK does not resolve anywhere on the Internet. The two that it no longer owns both resolve to pages trying to sell ownership of the domains. This while not connected to a TP-LINK device.
What does this mean to owners of TP-LINK routers and Wi-Fi extenders?
Boyd Chan, who seems to have written the first article on this, says "Unfortunately, for owners of TP-Link routers, this means that when they attempt to access their routers using tplinklogin.net they will be directed somewhere other than the router login page."
By and large, this should not be a problem for owners of TP-LINK devices. A TP-LINK router or extender should intercept requests to tplinklogin.net and tplinkextender.net and direct them to the router/extender rather than the Internet.
To be sure, I did a factory reset of a TL-WR841N router and then connected to it off-line. That is, the only thing the router was connected to, was my computer.
Entering tplinklogin.net took me to tplinkwifi.net which was the router's internal administrative website. Directly entering tplinkwifi.net also took me to the router's logon page.
The default IP address of the router was 192.168.0.1 and I was glad to see that even after changing this to 192.168.9.9, both domain names worked exactly as they had with the default IP address.
Next, I connected the router to the Internet and my computer to the router. As before, tplinklogin.net was re-directed to tplinkwifi.net and it was the router's internal logon page, not a page on the public Internet.
So, while this is not a security issue for someone connected to a TP-LINK router, what about the rest of us?
Anyone not connected to a TP-LINK router, that goes to tplinklogin.net, will see a public Internet web page rather than their router's internal logon page. Currently that page is an advertisement, but it could turn malicious at any time. Thanks for nothing TP-LINK.
All that said, if you own a TP-LINK device, its still safer to access it by IP address. I am in the habit of writing down the IP address for a router on paper, along with its assorted passwords, and taping it, face down, to the router itself.
Perhaps the biggest impact will be to the company's reputation. According to Dan, TP-LINK stopped communicating with him. I also checked their web site and found nothing about this issue. Hiding your head in the sand, does not make for good security.
Contrast this with the response of FastMail to a recent outage. On their status website, fastmailstatus.com, they posted frequent updates which showed they were working on the problem. My favorite report from June 30th was this one: "Spoke too soon; everything is terrible again". To me, this generates trust.
I am also turned off by the fact that none of the tech support documents at the TP-LINK site have any dates. Why do they feel they need to hide the date when something was created, and the date when it was last reviewed or updated?
The FTC can fine ASUS for poor router security yet it seems to have no impact. The same can be said for a feature story in the Wall Street Journal about how buggy software in consumer routers is hardly ever updated. Router reviews never consider security, other than the age-old, mandatory WPA2 recommendation. Heck, many reviews still consider WPS a good thing and fail to note its security implications.
An interesting exception seems to be Linksys WRT54GL. A recent article in Ars Technica notes that the lure of third party firmware, and its reputation for reliability, seem to overcome the fact that, by current standards, its quite slow.
My choice for a secure router is the Pepwave Surf SOHO, from Peplink. I maintain a long writeup of its pros/cons at RouterSecurity.org. The Surf SOHO is a business class router that is a big step up from consumer models, yet is reasonably priced and no harder to configure than the average consumer targeted router. My only relationship with Peplink is that of a customer.
That said, total non-techies, that are willing to give up some privacy, may be better off with a router that, by and large, they can't configure. Routers such as Google's OnHub, Eero, Luma and Starry Station are configured solely from a mobile app and omit 95% of the options offered by TP-LINK, Peplink and others.
While these routers communicate information with the hardware vendor, and we can't expect to ever know exactly what information is sent, they should, at the least, keep themselves up to date with new firmware. That counts for something and puts them ahead of other consumer routers.
- - - - - - -
Update: July 4, 2016. Added my testing and clarified that while this is not a problem for TP-LINK owners, it could be for the rest of us.
Update: July 8, 2016. TP-LINK has confirmed that they no longer use tplinklogin.net and tplinkextender.net and that their routers now use tplinkwifi.net. Their other devices use tplinkmodem.net, tplinkrepeater.net or tplinkplc.net, depending on the device type. And, of course, using an IP address still works. They write that this change does not affect "the security of our customers’ networks" to which I agree. It's everyone else that is at risk.
Update: July 8, 2016. An article at Ars Technica states that
On initial setup, while the router's Internet connection is still offline, the domain name will be trapped automatically and correctly send users to the router's configuration page. But subsequent visits to the configuration page can use the real Internet DNS system to resolve the address...
This is ridiculous. For one thing, I thoroughly tested it with a TL-WR841N router and found it not to be true. I even tested it with a computer hard coded to use OpenDNS and all the TP-LINK domains still resolved to the router, not the Internet. It also makes no sense logically.