Jump to content

Emby Community doesn't use TLS properly


DomiStyle

Recommended Posts

DomiStyle

It's 2016 and Emby (Community) still doesn't use proper TLS.

 

  • This page has an Qualys SSL Labs rating of F (this should be A or A+)
  • Most links on this page redirect back to HTTP
  • Most pages are only partially HTTPS
  • You can't login securely without editing the form manually
  • You can't register securely without editing the form manually
  • You can't post in the forum securely without editing the form manually
  • Side note: Your PHP exposes its version freely in your X-Powered-By header
  • Also, your plugin catalog images are loaded solely via HTTP. This results in some of them being blocked by modern browsers.

In a year where SSL certificates are free and there is more than enough documentation on securing a TLS connection it's not acceptable for a company trying to sell products for up to 100$ to be this insecure.

 

I would love to see this done properly.

 

edit: Also just saw the pinned thread. Feel free to move it in there.

Edited by DomiStyle
Link to comment
Share on other sites

We are looking into this for the forum but just for clarification for others reading - our web site - where we actually sell things - is completely https compatible.

  • Like 2
Link to comment
Share on other sites

pir8radio

I sure hope the black hat types don't packet sniff this post, that they can read in the public forum, and use it for E-Vile things...............   Ahhhh I'm just joshing    ;)

Edited by pir8radio
Link to comment
Share on other sites

dcook

I don't see the point of encrypting everything, its just a waste of resources.

 

HTTPS and SSL for online ordering sure, but the rest of the site its not needed nor is it needed for these forums.

Link to comment
Share on other sites

DomiStyle

We are looking into this for the forum but just for clarification for others reading - our web site - where we actually sell things - is completely https compatible.

Good to hear that you are working on it. Compatible yes, but the main emby.media page still needs an OpenSSL update. (this also applies to app.emby.media)

 

I sure hope the black hat types don't packet sniff this post, that they can read in the public forum, and use it for E-Vile things...............   Ahhhh I'm just joshing    wink.png

It's less about the posts and more about the account information and your cookies that get transmitted in plain text.

 

I don't see the point of encrypting everything, its just a waste of resources.

 

HTTPS and SSL for online ordering sure, but the rest of the site its not needed nor is it needed for these forums.

Encryption is so easy and computers are so powerful nowadays there is no reason not to encrypt everything. Not to mention it's unprofessional to transmit your customers/users passwords in plain text.

Link to comment
Share on other sites

pir8radio

Good to hear that you are working on it. Compatible yes, but the main emby.media page still needs an OpenSSL update. (this also applies to app.emby.media)

 

It's less about the posts and more about the account information and your cookies that get transmitted in plain text.

 

Encryption is so easy and computers are so powerful nowadays there is no reason not to encrypt everything. Not to mention it's unprofessional to transmit your customers/users passwords in plain text.

 

I understand your worries...   I'm not an avid ssl'er, true there is plenty of information that I NEED to protect, and in my eyes I can care less about the forum, or most of my internet activity for that matter...  We have so much stuff out there its easier to do a little searching vs the man in the middle fun  lol...   I can search and find your real name, facebook, twiter, github and gaming accounts, in just a few seconds..  You can totally do the same for me..  Then once you know my name and general area where I live, you can search the public tax records for my address, how much I owe/pay..  LOL the list goes on...   SSL has its place, but in my eyes its an added bonus when active where it doesn't need to be.     I'm all for added bonuses...    :D

Link to comment
Share on other sites

Good to hear that you are working on it. Compatible yes, but the main emby.media page still needs an OpenSSL update. (this also applies to app.emby.media)

 

OpenSSL has been updated.

  • Like 2
Link to comment
Share on other sites

Not to mention it's unprofessional to transmit your customers/users passwords in plain text.

 

Just FYI - this never happens with this forum or any of the Emby ecosystem.

Link to comment
Share on other sites

DomiStyle

...and find your real name, facebook, twiter, github and gaming accounts, in just a few seconds..  You can totally do the same for me...

 

The difference is that all this information is supposed to be found. I put it there myself and I am aware that it can be found. All the form data I submit here like my password/cookies/email address is supposed to be confidential between the site I'm on and me.

 

...Then once you know my name and general area where I live, you can search the public tax records for my address, how much I owe/pay...

 

I don't know where you live but I strongly doubt you can find that information online via a search engine for my country. I get your point though.

 

OpenSSL has been updated.

 

Neat!

 

Just FYI - this never happens with this forum or any of the Emby ecosystem.

 

Uhh, yes it does. It's happening right now:

 

57b840695f66d_embycommunity.png57b8407979f94_embycommunity2.png

 

http://emby.media/community/index.php?app=core&module=global&section=login&do=process

auth_key=<key>
referer=https://emby.media/community/
ips_username=example
ips_password=mypassword
rememberMe=1
Edited by DomiStyle
Link to comment
Share on other sites

pir8radio

 

 

The difference is that all this information is supposed to be found. I put it there myself and I am aware that it can be found. All the form data I submit here like my password/cookies/email address is supposed to be confidential between the site I'm on and me.

 

 

I don't know where you live but I strongly doubt you can find that information online via a search engine for my country. I get your point though.

 

My last comment I promise... Not trying to hijack your thread lol..   My point was that there IS information out there that you DIDNT put there yourself..  Like the property records..   Do some googleing for a similar site in your area, AU has many different ones.  Here are some results from a search in a different area NOT YOURS..  If i wanted to pay 20 or so dollars I could have all kinds of info about a property and owner, there are sites to find out who leases or rents as well, building type all kinds of good info..  Tax and property records will all ways get you.. lol  and we don't really have control of them..  LOL my point was there will always be more valuable info available to a "bad guy" that you can not control..

 

Property lookup: http://maps.sa.gov.au/plb/#

Example reports that anyone can obtain: https://www.sailis.sa.gov.au/products/order/propertySearch/CT%7C5434%7C49%7C3

 

Usually these are free, it depends of area, each area of a country has their own GIS service..

Edited by pir8radio
Link to comment
Share on other sites

 

57b8407979f94_embycommunity2.png

 

http://emby.media/community/index.php?app=core&module=global&section=login&do=process

auth_key=<key>
referer=https://emby.media/community/
ips_username=example
ips_password=mypassword
rememberMe=1

 

Everywhere we have interfaced with this forum software the password is sent in clear text from a network perspective, but the value sent is a salted hash - not the actual password.

 

Did you actually type "myPassword" into the login form and then was able to sniff that out of the data stream?

  • Like 1
Link to comment
Share on other sites

DomiStyle

My last comment I promise... Not trying to hijack your thread lol..   My point was that there IS information out there that you DIDNT put there yourself..  Like the property records..   Do some googleing for a similar site in your area, AU has many different ones.  Here are some results from a search in a different area NOT YOURS..  If i wanted to pay 20 or so dollars I could have all kinds of info about a property and owner, there are sites to find out who leases or rents as well, building type all kinds of good info..  Tax and property records will all ways get you.. lol  and we don't really have control of them..  LOL my point was there will always be more valuable info available to a "bad guy" that you can not control..

 

Property lookup: http://maps.sa.gov.au/plb/#

Example reports that anyone can obtain: https://www.sailis.sa.gov.au/products/order/propertySearch/CT%7C5434%7C49%7C3

 

Usually these are free, it depends of area, each area of a country has their own GIS service..

 

No worries, there is still some room in this thread. :)

 

Property records are available only by address, not by owner here. Searching a property address by owner name seems like a big security risk to me.

So there is no use in this service because if you already know the address you probably also know the name of the owner.

 

I'm not sure where you get the idea that tax records are published anywhere on the internet for individuals?

My tax records are confidential between me and the tax department. It seems like a stupid idea to expose this kind of information to everyone.

 

Everywhere we have interfaced with this forum software the password is sent in clear text from a network perspective, but the value sent is a salted hash - not the actual password.

 

Did you actually type "myPassword" into the login form and then was able to sniff that out of the data stream?

 

The value is sent unhashed over the network. The hashing is done on the server. Which is why your interface only provides you with the hashed password - it doesn't actually store the plain text password.

"mypassword" is the value of the password field as shown by the Firefox network tools, I didn't replace it afterwards.

Link to comment
Share on other sites

pir8radio

I can actually confirm the above, visible in wireshark, not hashed.  

 

That said, I looked into the payment section for emby purchases and that section is ran by a third party payment company, and I can confirm it IS secured. 

 

57b8a75786219_Screenshotfrom201608201353

Edited by pir8radio
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...