Server details on display

[dcrdev 251]

The Android TV app does show the address.  This is intended to be informational for the user so they can identify the server properly.

 

I suppose we could remove it but I'm not positive what the real concern is here.  How is anyone going to get to this screen without already having access to your server somehow?

 

Exactly - 

 

What is the problem here I see 2 options for accessing your server:

• Directly - in which case they know the address already, or if they have somehow magically arrived on that page, it takes 2 seconds to look at where page requests are being made in the debugger.
• Via connect - in which case requests are being routed to the server directly and you can still get the origin address in the debugger within 2 seconds.

There is no possible scenerio where someone could gleem the address from the connect page, without first knowing it, to actually be on that page. 

 

Whilst no displaying the address on the page for each app is not strictly necessary, it makes it useful in multi-server setups.

Edited October 11, 2017 by dcrdev

[dcook 265]

Here is my Roku, I find it interesting that @@Luke said none of the mobile apps display the ip address?  But then @@ebr says the Android app does display it, and so does the Roku?

 

[Luke 37119]

Yes there is some inconsistency there that we need to address, so ultimately we need to pick one way or the other.

[Happy2Play 8304]

I don't see why any of that matters, unless your Users are screwing you over by posting your server information online.

[dcook 265]

Once your server is configured its information that is not required to be displayed.  If like the OP stated for whatever reason you posting screen capture of your server selection page, I don't see why anyone would do it, but regardless its technical information that does not need to be displayed on the user login page.  This information is already listed in the Dashboard when you login as Admin.

[Happy2Play 8304]

Once your server is configured its information that is not required to be displayed.  If like the OP stated for whatever reason you posting screen capture of your server selection page, I don't see why anyone would do it, but regardless its technical information that does not need to be displayed on the user login page.  This information is already listed in the Dashboard when you login as Admin.

But where did those screen captures come from as they look custom made to me?  And can't tell me the poster does not know what those IPADDRESSes are.  To me those are advertisements, just look at the overview of Emby provided in the pic. 

Edited October 12, 2017 by Happy2Play

[Deathsquirrel 741]

This is a solution in search of a problem.

[ebr 14935]

Here is my Roku, I find it interesting that @@Luke said none of the mobile apps display the ip address?  But then @@ebr says the Android app does display it, and so does the Roku?

 

I said Android TV (not mobile).

 

In any case, we should be consistent.  I think it is valuable information and I don't understand the risk but I'm not so tied to it that I cannot change.

 

However, I'll almost guarantee if we remove it someone will be out here in no time asking where it went and chastising us for removing a "feature".

[dcrdev 251]

I use the pin 1234 for my credit card, today I gave my credit card to a complete stranger. Now all of my money has vanished, I'm absolutely outraged at this debacle.

 

The audacity of my bank to let this happen, they can rest assured that I will be filing a formal complaint... via facebook.

[Jdiesel 1114]

I use the pin 1234 for my credit card, today I gave my credit card to a complete stranger. Now all of my money has vanished, I'm absolutely outraged at this debacle.

 

The audacity of my bank to let this happen, they can rest assured that I will be filing a formal complaint... via facebook.

 

I think a better analogy is someone took a photo of my credit card when I wasn't looking and now they are using it to make purchases but I don't realize this is happening and do something to stop it because I don't review my statements. They should remove the number off the front of the card so this doesn't happen again and I can continue not worry about reviewing my statements or getting a new card with a PIN.

Edited October 12, 2017 by Jdiesel

[dcook 265]

I don't think its a big issue to have the ip address/port there, it does not bother me at all. 

 

But if someone did take a photo and had their server open to the internet it could cause unauthorized access. 

But honestly if they did take a photo and shared it they probably deserve it.

 

That being said I don't think there is any harm in hiding that info either as once you have your server setup its not really useful for anything.

[tdiguy 96]

I don't see why any of that matters, unless your Users are screwing you over by posting your server information online.

I think this right here is the truth of it. If someone is posting screenshots of just the emby server login it really only serves 1 purpose and that is to tell others about the server. As far as the question about scrubbing the log files, if you want to do that its pretty easy since they are in plain text, use find and replace in the editor of your choice and find your private and or public ip and have it replaced with say <none of your beeswax!> 

Its not a bad idea, but it wont stop the problem if people are sharing your server. Thankfully emby does give the server admins options on this front.

[Jdiesel 1114]

I think this right here is the truth of it. If someone is posting screenshots of just the emby server login it really only serves 1 purpose and that is to tell others about the server. As far as the question about scrubbing the log files, if you want to do that its pretty easy since they are in plain text, use find and replace in the editor of your choice and find your private and or public ip and have it replaced with say <none of your beeswax!> 

Its not a bad idea, but it wont stop the problem if people are sharing your server. Thankfully emby does give the server admins options on this front.

 

Sometimes I end up not posting log files because of the effort to scrub out personal information. Server IP/hostname, client IPs, IPTV links and password hashes. I guess I'm just lazy but also my laptop seems to hate opening +100Mb text files.

[tdiguy 96]

Lol ya fair enough there jdiesel I can see the problem on that. I often skip scrubbing the log because of lazyness and technically the public IP in my log isn't the public IP, my router is behind my phone system, which acts as a router.

 

Sent from my SM-G900P using Tapatalk

[Marvel emby 0]

This isn't effecting me personally I just see in groups people's ip addresses for emby accounts and basically if they can't get hold of ip address they can't post it in the group's in first place anyone can add server and put others emby accounts onto theirs.people name their servers so no ip should be on display, photos are people's emby accounts I can easily post more but I won't.This is only a option I was asking for just for better security for people learning and build there own emby servers

[ebr 14935]

This isn't effecting me personally I just see in groups people's ip addresses for emby accounts and basically if they can't get hold of ip address they can't post it in the group's in first place anyone can add server and put others emby accounts onto theirs.people name their servers so no ip should be on display, photos are people's emby accounts I can easily post more but I won't.This is only a option I was asking for just for better security for people learning and build there own emby servers

 

I still don't understand the risk. Once someone has access to your server, they can obtain the address in a multitude of ways (like the address bar of a browser) and the only way they get to the server selection screen with your server on it is if they have access to your server.

 

Also, as you'll notice, this is a local address that is displayed.  It is useless to anyone not on your local LAN.

 

 

Here is my Roku, I find it interesting that @@Luke said none of the mobile apps display the ip address?  But then @@ebr says the Android app does display it, and so does the Roku?

 

 

 

I don't think there is any security risk in showing the local address on this screen and it provides a way to differentiate entries with the same name - which could happen either due to an IP address change (in which case you can easily see which one you should delete) or if you have two friends who both named their server "MediaServer".

 

As I said, I don't necessarily think this is a key piece of information but, given I can't identify a risk with it, I don't want to just remove it since it has been there all along so removing it is likely to be a detriment to some set of existing users.

[dcook 265]

That was just an example, if I was connecting from external it would have had the external address.

I agree the risk is minimal and if one is stupid enough to take photos of the server selection screen and publish them, they only have themselves to blame.

[ebr 14935]

That was just an example, if I was connecting from external it would have had the external address.

 

In the Android TV app it always shows the local address.  I can ensure that is the case for Roku as well if need be.