Jump to content


Photo

Emby Community doesn't use TLS properly

ssl tls emby community secure

  • Please log in to reply
12 replies to this topic

#1 DomiStyle OFFLINE  

DomiStyle

    Member

  • Members
  • 26 posts
  • Local time: 10:33 PM

Posted 18 August 2016 - 02:52 AM

It's 2016 and Emby (Community) still doesn't use proper TLS.

 

  • This page has an Qualys SSL Labs rating of F (this should be A or A+)
  • Most links on this page redirect back to HTTP
  • Most pages are only partially HTTPS
  • You can't login securely without editing the form manually
  • You can't register securely without editing the form manually
  • You can't post in the forum securely without editing the form manually
  • Side note: Your PHP exposes its version freely in your X-Powered-By header
  • Also, your plugin catalog images are loaded solely via HTTP. This results in some of them being blocked by modern browsers.

In a year where SSL certificates are free and there is more than enough documentation on securing a TLS connection it's not acceptable for a company trying to sell products for up to 100$ to be this insecure.

 

I would love to see this done properly.

 

edit: Also just saw the pinned thread. Feel free to move it in there.


Edited by DomiStyle, 18 August 2016 - 02:55 AM.


#2 ebr OFFLINE  

ebr

    Chief Bottle Washer

  • Administrators
  • 50059 posts
  • Local time: 04:33 PM

Posted 18 August 2016 - 04:37 PM

We are looking into this for the forum but just for clarification for others reading - our web site - where we actually sell things - is completely https compatible.


  • Abobader and FrostByte like this

#3 pir8radio OFFLINE  

pir8radio

    NGINX

  • Members
  • 3243 posts
  • Local time: 03:33 PM
  • LocationChicago

Posted 18 August 2016 - 11:08 PM

I sure hope the black hat types don't packet sniff this post, that they can read in the public forum, and use it for E-Vile things...............   Ahhhh I'm just joshing    ;)


Edited by pir8radio, 18 August 2016 - 11:36 PM.


#4 dcook OFFLINE  

dcook

    Advanced Member

  • Members
  • 866 posts
  • Local time: 05:33 PM

Posted 19 August 2016 - 09:22 AM

I don't see the point of encrypting everything, its just a waste of resources.

 

HTTPS and SSL for online ordering sure, but the rest of the site its not needed nor is it needed for these forums.



#5 DomiStyle OFFLINE  

DomiStyle

    Member

  • Members
  • 26 posts
  • Local time: 10:33 PM

Posted 19 August 2016 - 12:15 PM

We are looking into this for the forum but just for clarification for others reading - our web site - where we actually sell things - is completely https compatible.

Good to hear that you are working on it. Compatible yes, but the main emby.media page still needs an OpenSSL update. (this also applies to app.emby.media)

 

I sure hope the black hat types don't packet sniff this post, that they can read in the public forum, and use it for E-Vile things...............   Ahhhh I'm just joshing    wink.png

It's less about the posts and more about the account information and your cookies that get transmitted in plain text.

 

I don't see the point of encrypting everything, its just a waste of resources.

 

HTTPS and SSL for online ordering sure, but the rest of the site its not needed nor is it needed for these forums.

Encryption is so easy and computers are so powerful nowadays there is no reason not to encrypt everything. Not to mention it's unprofessional to transmit your customers/users passwords in plain text.



#6 pir8radio OFFLINE  

pir8radio

    NGINX

  • Members
  • 3243 posts
  • Local time: 03:33 PM
  • LocationChicago

Posted 19 August 2016 - 01:34 PM

Good to hear that you are working on it. Compatible yes, but the main emby.media page still needs an OpenSSL update. (this also applies to app.emby.media)

 

It's less about the posts and more about the account information and your cookies that get transmitted in plain text.

 

Encryption is so easy and computers are so powerful nowadays there is no reason not to encrypt everything. Not to mention it's unprofessional to transmit your customers/users passwords in plain text.

 

I understand your worries...   I'm not an avid ssl'er, true there is plenty of information that I NEED to protect, and in my eyes I can care less about the forum, or most of my internet activity for that matter...  We have so much stuff out there its easier to do a little searching vs the man in the middle fun  lol...   I can search and find your real name, facebook, twiter, github and gaming accounts, in just a few seconds..  You can totally do the same for me..  Then once you know my name and general area where I live, you can search the public tax records for my address, how much I owe/pay..  LOL the list goes on...   SSL has its place, but in my eyes its an added bonus when active where it doesn't need to be.     I'm all for added bonuses...    :D



#7 bigjohn OFFLINE  

bigjohn

    Edge Case

  • Administrators
  • 972 posts
  • Local time: 03:33 PM
  • LocationArkansas, USA

Posted 19 August 2016 - 02:26 PM

Good to hear that you are working on it. Compatible yes, but the main emby.media page still needs an OpenSSL update. (this also applies to app.emby.media)

 

OpenSSL has been updated.


  • Abobader and Vicpa like this

#8 ebr OFFLINE  

ebr

    Chief Bottle Washer

  • Administrators
  • 50059 posts
  • Local time: 04:33 PM

Posted 19 August 2016 - 05:04 PM

Not to mention it's unprofessional to transmit your customers/users passwords in plain text.

 

Just FYI - this never happens with this forum or any of the Emby ecosystem.



#9 DomiStyle OFFLINE  

DomiStyle

    Member

  • Members
  • 26 posts
  • Local time: 10:33 PM

Posted 20 August 2016 - 07:36 AM

...and find your real name, facebook, twiter, github and gaming accounts, in just a few seconds..  You can totally do the same for me...

 
The difference is that all this information is supposed to be found. I put it there myself and I am aware that it can be found. All the form data I submit here like my password/cookies/email address is supposed to be confidential between the site I'm on and me.
 

...Then once you know my name and general area where I live, you can search the public tax records for my address, how much I owe/pay...

 
I don't know where you live but I strongly doubt you can find that information online via a search engine for my country. I get your point though.
 

OpenSSL has been updated.

 
Neat!
 

Just FYI - this never happens with this forum or any of the Emby ecosystem.

 
Uhh, yes it does. It's happening right now:
 
57b840695f66d_embycommunity.png57b8407979f94_embycommunity2.png
 

http://emby.media/community/index.php?app=core&module=global&section=login&do=process

auth_key=<key>
referer=https://emby.media/community/
ips_username=example
ips_password=mypassword
rememberMe=1

Edited by DomiStyle, 20 August 2016 - 07:38 AM.


#10 pir8radio OFFLINE  

pir8radio

    NGINX

  • Members
  • 3243 posts
  • Local time: 03:33 PM
  • LocationChicago

Posted 20 August 2016 - 01:31 PM

 

 
The difference is that all this information is supposed to be found. I put it there myself and I am aware that it can be found. All the form data I submit here like my password/cookies/email address is supposed to be confidential between the site I'm on and me.
 

 
I don't know where you live but I strongly doubt you can find that information online via a search engine for my country. I get your point though.

 

My last comment I promise... Not trying to hijack your thread lol..   My point was that there IS information out there that you DIDNT put there yourself..  Like the property records..   Do some googleing for a similar site in your area, AU has many different ones.  Here are some results from a search in a different area NOT YOURS..  If i wanted to pay 20 or so dollars I could have all kinds of info about a property and owner, there are sites to find out who leases or rents as well, building type all kinds of good info..  Tax and property records will all ways get you.. lol  and we don't really have control of them..  LOL my point was there will always be more valuable info available to a "bad guy" that you can not control..

 

Property lookup: http://maps.sa.gov.au/plb/#

Example reports that anyone can obtain: https://www.sailis.s...ch/CT|5434|49|3

 

Usually these are free, it depends of area, each area of a country has their own GIS service..


Edited by pir8radio, 20 August 2016 - 01:40 PM.


#11 ebr OFFLINE  

ebr

    Chief Bottle Washer

  • Administrators
  • 50059 posts
  • Local time: 04:33 PM

Posted 20 August 2016 - 01:48 PM

 

57b8407979f94_embycommunity2.png
 

http://emby.media/community/index.php?app=core&module=global&section=login&do=process

auth_key=<key>
referer=https://emby.media/community/
ips_username=example
ips_password=mypassword
rememberMe=1

 

Everywhere we have interfaced with this forum software the password is sent in clear text from a network perspective, but the value sent is a salted hash - not the actual password.

 

Did you actually type "myPassword" into the login form and then was able to sniff that out of the data stream?


  • pir8radio likes this

#12 DomiStyle OFFLINE  

DomiStyle

    Member

  • Members
  • 26 posts
  • Local time: 10:33 PM

Posted 20 August 2016 - 02:26 PM

My last comment I promise... Not trying to hijack your thread lol..   My point was that there IS information out there that you DIDNT put there yourself..  Like the property records..   Do some googleing for a similar site in your area, AU has many different ones.  Here are some results from a search in a different area NOT YOURS..  If i wanted to pay 20 or so dollars I could have all kinds of info about a property and owner, there are sites to find out who leases or rents as well, building type all kinds of good info..  Tax and property records will all ways get you.. lol  and we don't really have control of them..  LOL my point was there will always be more valuable info available to a "bad guy" that you can not control..

 

Property lookup: http://maps.sa.gov.au/plb/#

Example reports that anyone can obtain: https://www.sailis.s...ch/CT|5434|49|3

 

Usually these are free, it depends of area, each area of a country has their own GIS service..

 

No worries, there is still some room in this thread. :)

 

Property records are available only by address, not by owner here. Searching a property address by owner name seems like a big security risk to me.

So there is no use in this service because if you already know the address you probably also know the name of the owner.

 

I'm not sure where you get the idea that tax records are published anywhere on the internet for individuals?

My tax records are confidential between me and the tax department. It seems like a stupid idea to expose this kind of information to everyone.

 

Everywhere we have interfaced with this forum software the password is sent in clear text from a network perspective, but the value sent is a salted hash - not the actual password.

 

Did you actually type "myPassword" into the login form and then was able to sniff that out of the data stream?

 

The value is sent unhashed over the network. The hashing is done on the server. Which is why your interface only provides you with the hashed password - it doesn't actually store the plain text password.

"mypassword" is the value of the password field as shown by the Firefox network tools, I didn't replace it afterwards.



#13 pir8radio OFFLINE  

pir8radio

    NGINX

  • Members
  • 3243 posts
  • Local time: 03:33 PM
  • LocationChicago

Posted 20 August 2016 - 02:41 PM

I can actually confirm the above, visible in wireshark, not hashed.  

 

That said, I looked into the payment section for emby purchases and that section is ran by a third party payment company, and I can confirm it IS secured. 

 

57b8a75786219_Screenshotfrom201608201353


Edited by pir8radio, 20 August 2016 - 03:06 PM.






Also tagged with one or more of these keywords: ssl, tls, emby community, secure

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users