> That's not exactly uncommon in cheap consumer routers.
That's, in my opinion, the only fair criticism available here.
> No rate limiting is as good as no authentication.
Trying to even load some of the links found in Google takes 10's of seconds. That's effectively a rate limit, even if it doesn't temp-ban per IP address.
Someone would have to dump the firmware to find out, but it would be trivial for each device to generate their own salt - making a potential lack of rate limit a non-issue.
> Someone would have to dump the firmware to find out, but it would be trivial for each device to generate their own salt - making a potential lack of rate limit a non-issue.
Salting does nothing to protect against bruteforce attacks, which are what rate limiting defends against. Salting is done to protect passwords in the event the password data is stolen.
The load times are most likely primarily caused either by slow JS or high RTT/multiple requests, either of which could be trivially bypassed by an attacker. Or an attacker could just fire off 100 requests at the same time and saturate the bandwidth anyway, despite a high latency. And any high latency would likely be significantly lower if you happen to be in the same geographic area.
That's, in my opinion, the only fair criticism available here.
> No rate limiting is as good as no authentication.
Trying to even load some of the links found in Google takes 10's of seconds. That's effectively a rate limit, even if it doesn't temp-ban per IP address.
Someone would have to dump the firmware to find out, but it would be trivial for each device to generate their own salt - making a potential lack of rate limit a non-issue.