http is outdated

[frank42 3]

Hi,

since I got forced to log in here by admin (For security reasons, the administrator of Emby Community has required you to reset your password.) I wanted to use this nagging and report, that http is outdated.

On the homepage https://emby.media/ there's a "SIGN IN" button in the upper right, which redirects to http://app.emby.media/. This should be https://app.emby.media/, or is it intended that just the login link is unencrypted?

 

[GrimReaper 3291]

48 minutes ago, frank42 said:

This should be https://app.emby.media/, or is it intended that just the login link is unencrypted?

app.emby.media is hosted Web app address and whether you will use encrypted or unencrypted link depends on your server remote setup: SSL or not. 

[frank42 3]

2 hours ago, GrimReaper said:

app.emby.media is hosted Web app address and whether you will use encrypted or unencrypted link depends on your server remote setup: SSL or not. 

Wait, what? I'm sorry but that answer is wrong on several levels.

First of all: I'm talking about https://emby.media/ - The project's homepage. Follow this link please. You will see some links in the upper right. ABOUT, BLOG, DOWNLOAD, EMBY PREMIERE, SIGN IN and SUPPORT. When you move your mouse over them, you will notice that every link starts with https, except for SIGN IN, which is http://app.emby.media/

You can't explain this with MY emby installation. Which IS encrypted as well, by the way.

 

[GrimReaper 3291]

And again, yes, that is the address of hosted Web app, upon which you'd sign in to your server. If you don't have SSL setup, https would fail to connect, hence it leads to http by default as majority of users don't as server default remote connection is unsecured. You can manually connect to https if you have secure server. 

Edited January 17, 2023 by GrimReaper

[frank42 3]

kthxbye

[Luke 37062]

When the day comes that all Emby Servers have guaranteed SSL, then we'll be able to disable http for app.emby.media

But if we do it prematurely it will just cause a lot of connection failures for a lot of people.

[Cathnan 0]

I'm new here and thinking about switching to Emby, so please could you explain in detail what happens on that page? Because it did scare me that I get prompted to enter my password, on a homepage I get linked to from the main Emby page, that is by default unencrypted.

What happens when I enter my user credentials on that page? Where does it get sent to? And where is my Username and password while it is unencrypted?

Either way, I think this should be claryfied on that page.

Edited February 2, 2023 by Cathnan

[swallman 39]

On 1/17/2023 at 2:25 PM, Luke said:

When the day comes that all Emby Servers have guaranteed SSL, then we'll be able to disable http for app.emby.media

But if we do it prematurely it will just cause a lot of connection failures for a lot of people.

Just the fact that the Sign in with Emby Connect page isn't secure is a pretty big hole in my opinion.  Isn't there a more secure way to handle that?  I'm assuming that if a user enters their credentials on that page, they are sent to Emby (unsecurely) where you validate their creds?

[Luke 37062]

The http requests to authenticate with Emby Connect still occur over https. It is just the web page html that is plain http.

[Cathnan 0]

6 hours ago, Luke said:

The http requests to authenticate with Emby Connect still occur over https. It is just the web page html that is plain http.

So if I understand correctly, this page get's loaded from emby servers, the credentials get sent back to emby servers over https, and then the page establishes a connection to a user media server. I'm curious, what is the technical reason this page can't be on https until it starts setting up the connection with the user server? Couldn't it be downgraded to http when the connection to the user server is established?

[Luke 37062]

2 hours ago, Cathnan said:

So if I understand correctly, this page get's loaded from emby servers, the credentials get sent back to emby servers over https, and then the page establishes a connection to a user media server. I'm curious, what is the technical reason this page can't be on https until it starts setting up the connection with the user server? Couldn't it be downgraded to http when the connection to the user server is established?

If the web page were on https then it could only reach https domains, and so it would never be able to connect to an Emby Server over http.

[frank42 3]

And why exactly is that so? Where's the problem in globally enabling transport encryption by adding a snakeoil 99-year-selfsigned certificate to emby on installation level? It's not required to be an officially issued one, it can be created automatically while installing and/or updating without any user interaction. And since you tunnel the connection, you can even suppress the "this is not an officially signed certificate" warnings. You could even make it an option in the settings to manage LetsEncrypt certificates on installations with static IP and valid FQDN.

Unencrypted communication. In 2023. Tststststs.

[P.S. Just to be clear: emby is an incredibly awesome piece of work. I really love it. But unencrypted connections - for whatever reason - are not awesome. IMHO]

Edited February 3, 2023 by frank42

[Luke 37062]

6 hours ago, frank42 said:

And why exactly is that so? Where's the problem in globally enabling transport encryption by adding a snakeoil 99-year-selfsigned certificate to emby on installation level? It's not required to be an officially issued one, it can be created automatically while installing and/or updating without any user interaction. And since you tunnel the connection, you can even suppress the "this is not an officially signed certificate" warnings. You could even make it an option in the settings to manage LetsEncrypt certificates on installations with static IP and valid FQDN.

Unencrypted communication. In 2023. Tststststs.

[P.S. Just to be clear: emby is an incredibly awesome piece of work. I really love it. But unencrypted connections - for whatever reason - are not awesome. IMHO]

It's browser policy. You can't send requests to http domains over https. And why can't we use any cert - because we need to make sure it actually works across devices that we support, and a self-signed cert is not going to do that.