moviefan 184 Posted October 29, 2013 Share Posted October 29, 2013 Would be something nice to have for sharing out to internet with all the talk of traffic spying going on. Â Â Especially when using passwords for login. 5 Link to comment Share on other sites More sharing options...
ebr 14958 Posted January 8, 2014 Share Posted January 8, 2014 I'm not an expert but wouldn't this require a certificate on your server machine? Link to comment Share on other sites More sharing options...
Redshirt 1487 Posted January 8, 2014 Share Posted January 8, 2014 (edited) For those that don't know, passwords aren't passed around unencrypted. Edited January 8, 2014 by Redshirt Link to comment Share on other sites More sharing options...
tek64 0 Posted January 8, 2014 Share Posted January 8, 2014 This 1000x! Â SSL for logins AND streaming. Link to comment Share on other sites More sharing options...
Koleckai Silvestri 1150 Posted January 8, 2014 Share Posted January 8, 2014 (edited) I'm not an expert but wouldn't this require a certificate on your server machine? You can easily build self-signed certificates. For personal use, you don't need anything else. All the certificates do is hold the keys used to decrypt the data. However encryption will probably degrade playback of video for a lot of people. Â Easier to create a personal VPN and use it as the tunnel to protect your data. Most mobile devices should allow the user to connect via VPN. Edited January 8, 2014 by Wayne Luke Link to comment Share on other sites More sharing options...
simono5 21 Posted January 8, 2014 Share Posted January 8, 2014 Easier to create a personal VPN and use it as the tunnel to protect your data. Most mobile devices should allow the user to connect via VPN. Â How would you go about doing this? Link to comment Share on other sites More sharing options...
Beardyname 195 Posted January 8, 2014 Share Posted January 8, 2014 For those that don't know, passwords aren't passed around unencrypted. Â Â Â Thank you i still would like the option for ssl, but it should be enough for the forseable future anyway! Â Â Link to comment Share on other sites More sharing options...
tek64 0 Posted January 8, 2014 Share Posted January 8, 2014 I'm not an expert but wouldn't this require a certificate on your server machine? Â As Wayne mentioned, yes, you can use self-signed, or you can purchase one for personal use. Â In a corporate network there are a few more options. Â You can easily build self-signed certificates. For personal use, you don't need anything else. All the certificates do is hold the keys used to decrypt the data. However encryption will probably degrade playback of video for a lot of people. Â Easier to create a personal VPN and use it as the tunnel to protect your data. Most mobile devices should allow the user to connect via VPN. Â You are still encrypting the traffic whether you use SSL or VPN. Â A lot of home VPN routers, even the newer ones, do not support mobile VPN, native or app based. Â Also trying to train users how to create and use VPN on their mobile devices is a lot more cumbersome than simply providing them a https address. Â For some of us in the corporate environment that want to use this product for internal training videos, SSL is a must have. Link to comment Share on other sites More sharing options...
Koleckai Silvestri 1150 Posted January 8, 2014 Share Posted January 8, 2014 How would you go about doing this? http://www.pcworld.com/article/2030763/how-and-why-to-set-up-a-vpn-today.html http://openvpn.net/ Link to comment Share on other sites More sharing options...
Koleckai Silvestri 1150 Posted January 8, 2014 Share Posted January 8, 2014 You are still encrypting the traffic whether you use SSL or VPN.  A lot of home VPN routers, even the newer ones, do not support mobile VPN, native or app based.  Also trying to train users how to create and use VPN on their mobile devices is a lot more cumbersome than simply providing them a https address.  For some of us in the corporate environment that want to use this product for internal training videos, SSL is a must have.  More difficult to get the server software to support SSL though. Can't see it as high on the priority list but I guess if enough people make noise about it. Link to comment Share on other sites More sharing options...
moviefan 184 Posted January 9, 2014 Author Share Posted January 9, 2014 I don't understand why it is so difficult to get the server software to support SSL. Â Can someone help explain this to me? Â VPNs are not the answer here IMO. Â Sure they are possible but I just want to go to the web page, not connect to a VPN first. Â Also, @@Redshirt, can you please explain your statement better? Â How are the username and password being encrypted when using HTTP for the login page? Link to comment Share on other sites More sharing options...
moviefan 184 Posted January 9, 2014 Author Share Posted January 9, 2014 (edited) You mentioned traffic spying. I was just saying that the passwords are encrypted before being sent to the server in any api calls.. There not transmitted in plain text.  I still don't fully understand.  If user A accesses my MB server using HTTP over the internet and is asked to login, surely his credentials will be passed back to the MB server over the open internet in cleartext.  If not, what is doing the encryption?  You either have to have a supported mechanism of exchanging keys (e.g. SSL) or some other method to securely exchange keys for proper encryption and that seems to be missing here.  I can break out wireshark and inspect the traffic but without further information I am not understanding how this encryption is happening.  What encryption algorithm are you using?  How does it work? Edited January 8, 2014 by moviefan Link to comment Share on other sites More sharing options...
Redshirt 1487 Posted January 9, 2014 Share Posted January 9, 2014 You mentioned traffic spying. I was just saying that the passwords are encrypted before being sent to the server in any api calls.. There not transmitted in plain text. Link to comment Share on other sites More sharing options...
ebr 14958 Posted January 9, 2014 Share Posted January 9, 2014 What he means is if you spy the traffic you will see something like user=ebr&pw=jk3328750kkjaof99370kdagh03 Â With the pw being a SHA1 hash of the actual pw. Â This hash is created by the client before sending it to the server. Link to comment Share on other sites More sharing options...
moviefan 184 Posted January 9, 2014 Author Share Posted January 9, 2014 I am not trying to get MB to adjust its priorities but I still do feel this is an important feature. Â The MAFIAA have been trying to make streaming a felony in the US for quite a while now and it is already the case in other countries. Â It is still a misdemeanor here in the US and even if you own the video it doesn't grant you the right to stream it over the internet to other users. Â With Snowden's revelations that everyone's traffic everywhere is being intercepted, and some news reports indicating that other agencies have been asking the NSA to see its data for their own purposes (such as the DEA) I think there is a strong chance of seeing cooperation in some form between those organizations to discourage piracy. Â Encryption is the only way to protect yourself against some massive sting against users in the country using packet capturing which I still think is a possibility. Â This can be argued forever and I have no proof it will happen, but I am paranoid now and prefer to err on the side of caution so won't be making my media available to the internet until it is encrypted. Â I prefer to play stuff locally in full bitrate anyway so it doesn't really effect me very much but would still be a nice feature to have if we really want to have it accessible anywhere. Link to comment Share on other sites More sharing options...
Koleckai Silvestri 1150 Posted January 9, 2014 Share Posted January 9, 2014 SHA1 instead of Blowfish? SHA algorithms are vulnerable due to that fact that Bitcoins are based on them and bitcoin mining is simply breaking SHA hashes. Link to comment Share on other sites More sharing options...
moviefan 184 Posted January 9, 2014 Author Share Posted January 9, 2014 Thank you for the explanation. Â Just to check I did a wireshark capture after setting a password of "test" for my user account and it was transmitted as a hash of a94a8fe5ccb19ba61c4c0873d391e987982fbbd3 Â This provides a decent amount of protection to start with although it is likely still hackable if someone sniffed the hash and ran MB through a proxy like ZAP or similar to allow for inline altering of results; unless the hash is salted with some sort of time based variable that would make it change dynamically. Â I am doubting this is the case but maybe I am wrong? Â If this is the way it is setup, it is better than nothing, but I don't think it would really prevent a determined adversary from gaining access if they could sniff traffic. Link to comment Share on other sites More sharing options...
Guy 7 Posted January 9, 2014 Share Posted January 9, 2014 It looks like Plex offers https support. http://elan.plexapp.com/2013/08/12/plex-media-server-0-9-8-4-public-release/  HTTPS support: The media server listens on port 32443 for HTTPS connections  Link to comment Share on other sites More sharing options...
Koleckai Silvestri 1150 Posted January 9, 2014 Share Posted January 9, 2014 I don't understand why it is so difficult to get the server software to support SSL. Â Can someone help explain this to me? Â The server system they are using, ServiceStack, doesn't explicitly support SSL. There are ways to do it but they would need to code it themselves. Link to comment Share on other sites More sharing options...
moviefan 184 Posted January 9, 2014 Author Share Posted January 9, 2014 (edited) Yes Plex does offer HTTPS support and it also runs on my Synology. Â I run Plex and use it sometimes but Plex is stupid because if you want to access it outside of your network you have to go through MyPlex. Â Anyway, this is a MediaBrowser forum and I am here because I like the way MB does things more than Plex. Â I like the developers better than Plex and the community better. Â I just wish it had HTTPS support for all the ambitions it promotes about access everywhere. Â I am happy to donate money if for some reason that would help the HTTPS project along more quickly. Â I really do not believe that the overhead on the servers for a few simultaneous SSL connections max is going to have any perceptible impact on video transcoding performance. Edited January 26, 2014 by moviefan Link to comment Share on other sites More sharing options...
BC101 31 Posted January 9, 2014 Share Posted January 9, 2014 To support ATV client , I need a server to listen on port 443 (HTTPS) Â I was planning on building a C# server plugin (to be available in the plugin catalog) that listens on port 443, but if MB3 supports it natively then...I'd have to work with MB3 API to see how to make this work so I can listen for certain URLs or something... Link to comment Share on other sites More sharing options...
ebr 14958 Posted January 9, 2014 Share Posted January 9, 2014 Is your local media content really that valuable that someone would go to all that trouble to access it? Â Â I understand what you are saying but we have to have priorities with our limited resources and this has to be down on the list a bit. Link to comment Share on other sites More sharing options...
BC101 31 Posted January 9, 2014 Share Posted January 9, 2014 will mention @@Luke in this to find out if this is in the planning stages or not. Link to comment Share on other sites More sharing options...
BC101 31 Posted January 9, 2014 Share Posted January 9, 2014 I didn't think that through. I can't overload port 443 to allow standard mediabrowser3 clients and the ATV. Would need to have MB3 use, for example, port 8443 and I'd use 443. But i could still reuse the same API, just listen on different port and supply different certificate and I'd handle my stuff and let MB3 server handle its. Link to comment Share on other sites More sharing options...
Koleckai Silvestri 1150 Posted January 9, 2014 Share Posted January 9, 2014 (edited) Also have to take into consideration Apache and/or IIS. They will usually bind to ports 80 and 443 by default. Skype also tries to bind to ports 80 and 443 as a backup. Those ports are well used in many situations. I run IIS on my server machine for my day job and for a small family server using Wordpress. Also have to run Skype daily for VOIP meetings, though I've turned off its use of port 80 and 443. Port 3306 should be considered out as well since MySQL runs on that port. Best to use the higher ranges where there is less chance of collision. 8443 would work.  Most people might not run a webserver and MySQL but a lot of people use Skype. Edited January 9, 2014 by Wayne Luke Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now