HTTPS Support

[moviefan 184]

Would be something nice to have for sharing out to internet with all the talk of traffic spying going on.  

 

Especially when using passwords for login.

[ebr 14958]

I'm not an expert but wouldn't this require a certificate on your server machine?

[Redshirt 1487]

For those that don't know, passwords aren't passed around unencrypted.

Edited January 8, 2014 by Redshirt

[tek64 0]

This 1000x!  SSL for logins AND streaming.

[Koleckai Silvestri 1150]

I'm not an expert but wouldn't this require a certificate on your server machine?

You can easily build self-signed certificates. For personal use, you don't need anything else. All the certificates do is hold the keys used to decrypt the data. However encryption will probably degrade playback of video for a lot of people.

 

Easier to create a personal VPN and use it as the tunnel to protect your data. Most mobile devices should allow the user to connect via VPN.

Edited January 8, 2014 by Wayne Luke

[simono5 21]

Easier to create a personal VPN and use it as the tunnel to protect your data. Most mobile devices should allow the user to connect via VPN.

 

How would you go about doing this?

[Beardyname 195]

For those that don't know, passwords aren't passed around unencrypted.

 

 

 

Thank you i still would like the option for ssl, but it should be enough for the forseable future anyway!

 

 

[tek64 0]

I'm not an expert but wouldn't this require a certificate on your server machine?

 

As Wayne mentioned, yes, you can use self-signed, or you can purchase one for personal use.  In a corporate network there are a few more options.

 

You can easily build self-signed certificates. For personal use, you don't need anything else. All the certificates do is hold the keys used to decrypt the data. However encryption will probably degrade playback of video for a lot of people.

 

Easier to create a personal VPN and use it as the tunnel to protect your data. Most mobile devices should allow the user to connect via VPN.

 

You are still encrypting the traffic whether you use SSL or VPN.  A lot of home VPN routers, even the newer ones, do not support mobile VPN, native or app based.  Also trying to train users how to create and use VPN on their mobile devices is a lot more cumbersome than simply providing them a https address.

 

For some of us in the corporate environment that want to use this product for internal training videos, SSL is a must have.

[Koleckai Silvestri 1150]

How would you go about doing this?

http://www.pcworld.com/article/2030763/how-and-why-to-set-up-a-vpn-today.html

http://openvpn.net/

[Koleckai Silvestri 1150]

You are still encrypting the traffic whether you use SSL or VPN.  A lot of home VPN routers, even the newer ones, do not support mobile VPN, native or app based.  Also trying to train users how to create and use VPN on their mobile devices is a lot more cumbersome than simply providing them a https address.

 

For some of us in the corporate environment that want to use this product for internal training videos, SSL is a must have.

 

More difficult to get the server software to support SSL though. Can't see it as high on the priority list but I guess if enough people make noise about it. 

[moviefan 184]

I don't understand why it is so difficult to get the server software to support SSL.  Can someone help explain this to me?

 

VPNs are not the answer here IMO.  Sure they are possible but I just want to go to the web page, not connect to a VPN first.

 

Also, @@Redshirt, can you please explain your statement better?

 

How are the username and password being encrypted when using HTTP for the login page?

[moviefan 184]

You mentioned traffic spying. I was just saying that the passwords are encrypted before being sent to the server in any api calls.. There not transmitted in plain text. 

 

I still don't fully understand.

 

If user A accesses my MB server using HTTP over the internet and is asked to login, surely his credentials will be passed back to the MB server over the open internet in cleartext.

 

If not, what is doing the encryption?  You either have to have a supported mechanism of exchanging keys (e.g. SSL) or some other method to securely exchange keys for proper encryption and that seems to be missing here.

 

I can break out wireshark and inspect the traffic but without further information I am not understanding how this encryption is happening.  What encryption algorithm are you using?  How does it work?

Edited January 8, 2014 by moviefan

[Redshirt 1487]

You mentioned traffic spying. I was just saying that the passwords are encrypted before being sent to the server in any api calls.. There not transmitted in plain text. 

[ebr 14958]

What he means is if you spy the traffic you will see something like user=ebr&pw=jk3328750kkjaof99370kdagh03

 

With the pw being a SHA1 hash of the actual pw.  This hash is created by the client before sending it to the server.

[moviefan 184]

I am not trying to get MB to adjust its priorities but I still do feel this is an important feature.

 

The MAFIAA have been trying to make streaming a felony in the US for quite a while now and it is already the case in other countries.  It is still a misdemeanor here in the US and even if you own the video it doesn't grant you the right to stream it over the internet to other users.

 

With Snowden's revelations that everyone's traffic everywhere is being intercepted, and some news reports indicating that other agencies have been asking the NSA to see its data for their own purposes (such as the DEA) I think there is a strong chance of seeing cooperation in some form between those organizations to discourage piracy.  Encryption is the only way to protect yourself against some massive sting against users in the country using packet capturing which I still think is a possibility.  This can be argued forever and I have no proof it will happen, but I am paranoid now and prefer to err on the side of caution so won't be making my media available to the internet until it is encrypted.

 

I prefer to play stuff locally in full bitrate anyway so it doesn't really effect me very much but would still be a nice feature to have if we really want to have it accessible anywhere.

[Koleckai Silvestri 1150]

SHA1 instead of Blowfish? SHA algorithms are vulnerable due to that fact that Bitcoins are based on them and bitcoin mining is simply breaking SHA hashes.

[moviefan 184]

Thank you for the explanation.

 

Just to check I did a wireshark capture after setting a password of "test" for my user account and it was transmitted as a hash of a94a8fe5ccb19ba61c4c0873d391e987982fbbd3

 

This provides a decent amount of protection to start with although it is likely still hackable if someone sniffed the hash and ran MB through a proxy like ZAP or similar to allow for inline altering of results; unless the hash is salted with some sort of time based variable that would make it change dynamically.  I am doubting this is the case but maybe I am wrong?

 

If this is the way it is setup, it is better than nothing, but I don't think it would really prevent a determined adversary from gaining access if they could sniff traffic.

[Guy 7]

It looks like Plex offers https support. http://elan.plexapp.com/2013/08/12/plex-media-server-0-9-8-4-public-release/

 

HTTPS support: The media server listens on port 32443 for HTTPS connections

 

[Koleckai Silvestri 1150]

I don't understand why it is so difficult to get the server software to support SSL.  Can someone help explain this to me?

 

The server system they are using, ServiceStack, doesn't explicitly support SSL. There are ways to do it but they would need to code it themselves.

[moviefan 184]

Yes Plex does offer HTTPS support and it also runs on my Synology.  I run Plex and use it sometimes but Plex is stupid because if you want to access it outside of your network you have to go through MyPlex.

 

Anyway, this is a MediaBrowser forum and I am here because I like the way MB does things more than Plex.  I like the developers better than Plex and the community better.  I just wish it had HTTPS support for all the ambitions it promotes about access everywhere.

 

I am happy to donate money if for some reason that would help the HTTPS project along more quickly.

 

I really do not believe that the overhead on the servers for a few simultaneous SSL connections max is going to have any perceptible impact on video transcoding performance.

Edited January 26, 2014 by moviefan

[BC101 31]

To support ATV client , I need a server to listen on port 443 (HTTPS)

 

I was planning on building a C# server plugin (to be available in the plugin catalog) that listens on port 443, but if MB3 supports it natively then...I'd have to work with MB3 API to see how to make this work so I can listen for certain URLs or something...

[ebr 14958]

Is your local media content really that valuable that someone would go to all that trouble to access it?  

 

I understand what you are saying but we have to have priorities with our limited resources and this has to be down on the list a bit.

[BC101 31]

will mention @@Luke in this to find out if this is in the planning stages or not.

[BC101 31]

I didn't think that through. I can't overload port 443 to allow standard mediabrowser3 clients and the ATV. Would need to have MB3 use, for example, port 8443 and I'd use 443. But i could still reuse the same API, just listen on different port and supply different certificate and I'd handle my stuff and let MB3 server handle its.

[Koleckai Silvestri 1150]

Also have to take into consideration Apache and/or IIS. They will usually bind to ports 80 and 443 by default. Skype also tries to bind to ports 80 and 443 as a backup. Those ports are well used in many situations. I run IIS on my server machine for my day job and for a small family server using Wordpress. Also have to run Skype daily for VOIP meetings, though I've turned off its use of port 80 and 443. Port 3306 should be considered out as well since MySQL runs on that port. Best to use the higher ranges where there is less chance of collision. 8443 would work. 

 

Most people might not run a webserver and MySQL but a lot of people use Skype.

Edited January 9, 2014 by Wayne Luke