Secure Usable Browser Connections for Intranet Scenarios
Almost all consumer networking devices and many IOT devices support local HTTP/S connections for management. This browser based interface is the typical default mechanism for managing, configuring and provisioning the device.
If the management interface is hosted on HTTP, then all content will be transmitted in clear text. This includes the transmission of the administration password. Any device hosting their management interface on an HTTP connection, is therefore announcing the users passwords on the internal network.
The alternative is to host the management interface on a HTTPS connection. This option provides the assurances of encryption (the password is not passed in the clear), but the solution is unusable for most consumers because of the warnings generated.
This document describes this problem.