Serious security concerns - Am I missing something?

[skl_mobile 3]

He wasn't trying to say that MB is like Vista. Just a comparison in how security and ease of use can be at odds and most people prefer ease of use. (even if it isn't good for them)

 

twas a joke.

[Angelblue05 4130]

It's always better to opt in to security than opt out of it. My reasoning: if security is set by default, users will wonder why they can't connect to the server. This affects the "out of box" experience. If it's the admin's choice to opt in to better security, then they will remember "hey I enabled this. This is probably why I can't connect to the server right now". The "out of box" experience remains intact.

 

The only important option I would like to see is a one-click Disable external access feature. Anything else should be simply made aware to the admin in an explicit way while setting up the server. Inform, don't conform.

[techywarrior 688]

Well, there still needs to be either a minimum amount of security or some sort of warning/information.

 

Many average users won't understand that by default their server open to everyone. It's like "cool, I can connect while I am away". There is no thinking "wait... so can anyone else".

 

For now I think informing a user when he creates a new user with no external password with some sort of warning would be good. Something as simple as "Warning. Having no external password will allow anyone who finds your server access to your media. Are you sure this is what you want?"

[pflumph 3]

It's always better to opt in to security than opt out of it. My reasoning: if security is set by default, users will wonder why they can't connect to the server. This affects the "out of box" experience. If it's the admin's choice to opt in to better security, then they will remember "hey I enabled this. This is probably why I can't connect to the server right now". The "out of box" experience remains intact.

 

The only important option I would like to see is a one-click Disable external access feature. Anything else should be simply made aware to the admin in an explicit way while setting up the server. Inform, don't conform.

That's a frightening thing to hear from a dev 

 

If MBS requires passwords for new users and automatically bypasses them for internal networks, the user experience is preserved, and the install is secure.

Also, documentation like the tutorial on port forwarding MBS should discuss security at the top, rather than a mention at the end.

 

Obviously the user experience needs to be as smooth as possible to retain new users - Especially "less-than-technical" ones.  But that doesn't mean it can't be smooth and secure 

[Angelblue05 4130]

@@pflumph

 

It's all about the presentation. I'm not saying security is not important, au contraire. I just strongly believe information displayed in an explicit way at setup, informing new Media Browser admins of the impact every security options has on the external access is more than enough to make an informed decision. Knowing the why behind the settings will allow admins to customize their security layers perfectly, while making them aware of available options if they choose not to enable them.

 

The server has no place in making such decisions. It's only job is to provide the security options and make users aware of them. I personally prefer to opt in options. Call me paranoid, but the other way around kind of reminds me of toolbars and other offers that are already checked, when installing a new piece of software...sneaky ....

 

Being informed of security options and made aware of why they should be enabled, rather than force security by default (Vista style) is the way to go, in my opinion. Let the admin make the decisions during the installation, according to their needs. This should ensure a smooth experience and a secure end product, while educating users without forcing anything on anyone even if it's usually for their own good...

 

As I said, the only option I could see as a needed step is to enable or disable external access with a single click. Everything else just rolls off from that simple setting. If external access is disabled, then why would I want to add extra layers of security forced upon the user.  This is just my opinion as a user, not as a dev, btw.

Edited February 11, 2015 by Angelblue05

[Deathsquirrel 741]

More seriously, I would suggest considering two classes of changes to address security of the app from outside users:

 

1) Change the default server behavior to not allow connections from outside the network or at consider making it a question during the installation.  Make it something you have to enable.  Preferably enabling outside access would come with a popup or other reminder about account security.

2) Change the default behavior of accounts.

--Don't allow access to admin accounts from outside the network by default.

--Don't allow limited users delete or download rights by default.

 

With those two types of security changes a user has to affirmatively choose to open their network AND when they do so any user account created can't do more than browse the media and playback by default. 

 

Down the road I'd also love to see an option to limit outside connections to encrypted connections so passwords can't be captured in the clear.

[ebr 14921]

 

 

so passwords can't be captured in the clear

 

We never send clear text passwords.

[Angelblue05 4130]

More seriously, I would suggest considering two classes of changes to address security of the app from outside users:

 

1) Change the default server behavior to not allow connections from outside the network or at consider making it a question during the installation.  Make it something you have to enable.  Preferably enabling outside access would come with a popup or other reminder about account security.

2) Change the default behavior of accounts.

--Don't allow access to admin accounts from outside the network by default.

--Don't allow limited users delete or download rights by default.

 

With those two types of security changes a user has to affirmatively choose to open their network AND when they do so any user account created can't do more than browse the media and playback by default. 

 

Down the road I'd also love to see an option to limit outside connections to encrypted connections so passwords can't be captured in the clear.

 

It comes down to this, in my opinion: This is mostly about 2.

 

By default, do we want to make MB features work or do we want users to enable/disable options to get MB features to work? Once you answer this question, then you know what you are looking for in terms of user experience vs peace of mind.  The security features you mention already exists. This is really a question of what should be set as default. It ultimately comes down to how simple it is to setup "out of the box" Media Browser server vs expectations. Again, this is my opinion as a user.

[CashMoney 94]

I agree with Angelblue05.

 

--Don't allow access to admin accounts from outside the network by default.

--Don't allow limited users delete or download rights by default.

 

Those 2 imho would offer a good balance of security and usability.

[mediacowboy 438]

By default Media Browser does not allow external access. That is something the Administrator has to setup in the router/firewall. Also by default the server does not allow users to delete media. Please correct me if I am wrong. IMHO the best thing to do would be ask for a password at the time of user creation when you are typing the username and the lock out feature the Luke talked about. I see where every is coming from. It basically all boils down to how well informed the Administrator of the server is. Which would lead to better documentation, but then you get into how detailed do you make it. Do you make it step by step and make the advanced users feel stupid or make it so generic that the basic users doesn't understand it and turn away. I applaud Luke and the team. I fell that they do a really good job on this. Just my two cents.

[Angelblue05 4130]

Indeed mediacowboy, you are correct,

 

I just think documentation is lacking during or right after the installation. How to properly secure your server and what security options are available to you should be introduced right away. It should be detailed in one area particularly: the impact each security option has on clients trying to connect to the server. For now, I'd say educating users is the best way to tackle this dilemma. Security options are already in place, users just need to know or be reminded they exists. If a steeper measure needs to be taken (change current default behaviors), then I say we cross that bridge when we get to it.   Opinion as a user

 

My point of view: I believe key features of Media browser need to work off the bat within a logical security realm. By default, preventing users from accomplishing said features unless they comply will cause more problems than it will solve. The only additions I'd like to see is a defined option to enable/disable external access and a better security documentation at install. Everything mentioned here is solved by a better awareness of the security options available to admins, not by changing default behaviors.

Edited February 12, 2015 by Angelblue05

[Carlo 4330]

One thing I would suggest however.

 

If any account has admin privs then don't allow login from external without a password!

 

A WARNING message could also show (at least in the web client) EVERY TIME they login without a password that this account can not be used externally (from the Internet) until a password is set.

 

Carlo

Edited February 12, 2015 by cayars

[Deathsquirrel 741]

It comes down to this, in my opinion: This is mostly about 2.

 

By default, do we want to make MB features work or do we want users to enable/disable options to get MB features to work? Once you answer this question, then you know what you are looking for in terms of user experience vs peace of mind.  The security features you mention already exists. This is really a question of what should be set as default. It ultimately comes down to how simple it is to setup "out of the box" Media Browser server vs expectations. Again, this is my opinion as a user.

 

Absolutely, the dev team driving this has to decide how to balance this.  My suggestion is that things that aren't dangerous should be opt-out; on by default.  Things that are potentially dangerous should be opt-in; disabled by default.

 

Just to be clear, the suggestions I made don't exist in the current product.

• MB allows external connections to the web UI if the port is open on your firewall.
• Admin accounts are usable from outside the firewall if connectivity is allowed from outside the firewall.
• Default accounts don't have delete rights but do have sync/download rights by default.

Note that if you enable the UPNP port mapping function there is not a warning that you're going to open your firewall though I believe that option is disabled by default.  Haven't set up a new server in some time.

[Angelblue05 4130]

Maybe an idea along these lines could work? Maybe something to consider. It would give everyone an easy access to different security layers.   I just want to point out that everyone has brought up very valid points, this is why I've been following this thread, from a user's perspective.

 

Security level // Motto and definition

-------------------------------------------------------------------------------------

 

Default

Better safe than sorry. Some basic security should be enabled, balanced with ease of configuration. Will receive occasional reminders about security settings. A step above what we currently have.

 

Advanced

I know what I'm doing. Pretty happy with the current settings. If something needs to be enabled or disabled, I'd like to make that decision. No reminders or warnings.

 

Expert

I like to be 100% protected. Every security options are enabled with constant warnings. I'm aware this might prevent some features from functioning correctly, by default.

Edited February 12, 2015 by Angelblue05

[skl_mobile 3]

Maybe an idea along these lines could work? Maybe something to consider. It would give everyone an easy access to different security layers.   I just want to point out that everyone has brought up very valid points, this is why I've been following this thread, from a user's perspective.

 

Security level // Motto and definition

-------------------------------------------------------------------------------------

 

Default

Better safe than sorry. Some basic security should be enabled, balanced with ease of configuration. Will receive occasional reminders about security settings. A step above what we currently have.

 

Advanced

I know what I'm doing. Pretty happy with the current settings. If something needs to be enabled or disabled, I'd like to make that decision. No reminders or warnings.

 

Full

I like to be 100% protected. Every security options are enabled with constant warnings. I'm aware this might prevent some features from functioning correctly, by default.

 

Being asked that on install would be great!, maybe change full to Expert!

[Carlo 4330]

I like that idea but the names don't really match.  How about:

 

Please select the default security settings to start with:

 

PROTECTED

I like to be 100% protected. All security options are enabled by default with constant warnings given if you change a feature that violates this security level. I'm aware this might prevent some features from functioning correctly, by default.

Examples: All accounts must have passwords. No easy sign on from the Internet, etc

 

Balanced (Default)

Better safe than sorry. Some basic security should be enabled, balanced with ease of configuration. Will receive occasional reminders about security settings. 

Examples: All Admin accounts and accounts that have the ability to modify data must have passwords. Only accounts with passwords show up for easy sign on (if configured), Security warnings only given for medium/high issues, etc

 

Expert

I know what I'm doing and take full control over all aspects of my system's security.

 

I'd suggest some type of "security analyzer" be added to the dashboard (in time).  Sort of a checklist of some things that can be checked and quickly viewed. Maybe color coded:

Admin accounts not set with a password: None

Users with delete privs that do not have a password: JohnM

Users with download privs that do not have a password: MikeL

Users wirh quick login that do not have a password set: None

Server available from Internet over http: Yes

Server available without SSL cert: Yes

Server certificate expire data: 22 Days from now

etc...

 

Carlo

Edited February 12, 2015 by cayars

[pflumph 3]

 

PROTECTED

I like to be 100% protected. All security options are enabled by default with constant warnings given if you change a feature that violates this security level. I'm aware this might prevent some features from functioning correctly, by default.

Examples: All accounts must have passwords. No easy sign on from the Internet, etc

 

Balanced (Default)

Better safe than sorry. Some basic security should be enabled, balanced with ease of configuration. Will receive occasional reminders about security settings. 

Examples: All Admin accounts and accounts that have the ability to modify data must have passwords. Only accounts with passwords show up for easy sign on (if configured), Security warnings only given for medium/high issues, etc

 

Expert

I know what I'm doing and take full control over all aspects of my system's security.

 

I'd suggest some type of "security analyzer" be added to the dashboard (in time).  Sort of a checklist of some things that can be checked and quickly viewed. Maybe color coded:

Admin accounts not set with a password: None

Users with delete privs that do not have a password: JohnM

Users with download privs that do not have a password: MikeL

Users wirh quick login that do not have a password set: None

Server available from Internet over http: Yes

Server available without SSL cert: Yes

Server certificate expire data: 22 Days from now

etc...

 

Carlo

 

I like everything about this ^^

 

I'm very happy with where this thread went 

 

Thanks everyone!

Edited February 12, 2015 by pflumph

[Carlo 4330]

I agree that would be the ideal, BUT that is probably a lot of work on the devs and a lot of changes throughout the code.

So while I feel it might be the ideal, I'd like to see the devs keep this in mind going forward while making whatever changes they can to the default setup (for now).

 

But for the immediate release:

If we require a password on the admin account and by default DON'T allow logins via Internet to accounts without a password then most of the security is covered.

If we can run some type of basic scan as I already gave then this could be enough.

 

I really would like to see a "security analyzer", as this could elevate a lot of the security issue concerns because if we give a user a tool to find problems and they ignore them then... tisk on them. If they ignored the security analyzer and have a problem then shame on them. At least on the forums and anywhere else we could simple say the OP ignored "Security Best Practices"...

 

Carlo

[Beardyname 195]

As long as the pre-settings does not affect my ability to setup the server however i want, I don't see a reason not to do some default settings.

 

In the meanwhile, adding some text to the installer explaining why passwords are great seems like the best route.

 

 

And for the "anlyzer" thing, that belongs in the report section (imo) Since I don't really need to see that information every time i visit the dashboard.

[Tranquil 93]

Today I played a bit with the MBS API, in an early stage of an project of mine, and I also wonder that I can even download User Images without a valid Token. The User is a hidden one from the Login screen, so I would assume that his profile picture can only be downloaded with a valid session/ tokenID.

 

Do I miss something here?