Request a 302 Redirect from HTTP login to HTTPS on app.emby.media

[sarsnick 0]

I am logging into my new account and I saw myself sitting in front of http://app.emby.media/connectlogin.html?mode=connect .  No HTTPS.

 

This is the easiest thing to fix for my clients. It's either change the page to a plain page (no forms or anything) that immediately redirects the user to the proper HTTPS site or put a rule into .htaccess (or similiar) to send a user requesting the non-SSL site a 302 Redirect to the https page.

 

Serving a login page on HTTP means that anyone that happens to be on the same network as the victim will be able to pull creds or the attacker can use it as a framing attack that leaves the victim not even knowing their creds were just snatched (via registering a homoglyph domain such as еmbу.media where the e and y are Cyrillic but can still be registered)

 

Usually the easiest thing until I got one client that said they needed HTTP logins because they didn't configure their F5 properly yet (after 2 years online   )

 

Your product is great and I want to help support such a media server that allows me to use my GPU !

 

Sarsnick

 

[Luke 37116]

Thanks for the feedback. Be aware you can also use the https version of the same online web app. Thanks !

[sarsnick 0]

I did bring that the HTTPS version is up and having that is not a solution to the fact that the HTTP is 100% usable to not only steal username/passwords but also steal session keys.

 

From the sounds of it, you are going to take care of this soon?  If not, kind of discomforting. 

[Luke 37116]

We may add an option to force ssl but it's only going to work if you have an SSL cert that all of your devices will accept.

[sarsnick 0]

We may add an option to force ssl but it's only going to work if you have an SSL cert that all of your devices will accept.

 

Oh, I am not talking about that.  I am talking about a part of your web site domain which you can open http://app.emby.media/ in your browser and see the browser probably yelling at you that you are not connected via https.

 

Unless you are saying that because of the inability to verify certs through the mobile clients, that login page NEEDS to be able to accept non-ssl connections.

[Luke 37116]

An https site cannot communicate with http addresses, that is why the http version is still around. If you use the https version you will not be able to connect to your Emby Server unless the browser accepts your SSL cert. Most people would see the connection failure and automatically assume something is wrong with Emby, so that is why we need to keep the http version around.

[mrmachine 1]

@@Luke Can you put the insecure page on a different domain or something then? I get caught out by this all the time. I go to `app.emby.media` and go to log in, then have to stop myself before I accidentally send my password in clear text over the internet.

 

Using a different domain would provide better security for the majority of users and make it an intentional choice if/when people need to use HTTP for emby connect because their servers are also limited to HTTP.

 

Users attempting to connect to HTTP servers through HTTPS emby connect could be told the reason why it is failing and how to fix it, making it an explicit choice and prompting them to improve the security of their servers.

 

In 2018 there's really no reason not to run HTTPS for every web service, with the easy availability of free SSL certs, and allowing users to accidentally send their passwords over plain text is irresponsible.

[Luke 37116]

I agree that https would be ideal, but that can't be done without a domain name. That is the holdup to providing ssl out of the box.

[Carlo 4330]

I agree that https would be ideal, but that can't be done without a domain name. That is the holdup to providing ssl out of the box.

@@Luke, add this to the list of things to talk about with the group you are putting together for Emby Connect.

This can be done pretty easily and but would require a small change and doing the dev work at the same time for connections would make sense.