Jump to content


Photo

Security 101: Secure Connections

Secure Connect Security Remote Access Encrypted

  • Please log in to reply
298 replies to this topic

#161 lorac OFFLINE  

lorac

    Advanced Member

  • Members
  • 338 posts
  • Local time: 04:27 PM
  • LocationVancouver, Canada

Posted 23 January 2018 - 07:16 PM

I have no issues with my internal Roku devices.

Sent from my STV100-3 using Tapatalk

#162 Tur0k OFFLINE  

Tur0k

    Advanced Member

  • Members
  • 505 posts
  • Local time: 04:27 PM

Posted 23 January 2018 - 07:54 PM

Ok for the sake of testing, would you confirm you have configured the following:
1. Have a public domain.
2. loaded a publicly trusted SSL cert on your Emby server.
3. open port 8920 on your router.
4. port forward it to your Emby server’s IP address.
5. Turned off your Emby server’s windows firewall.


Sent from my iPhone using Tapatalk

#163 lorac OFFLINE  

lorac

    Advanced Member

  • Members
  • 338 posts
  • Local time: 04:27 PM
  • LocationVancouver, Canada

Posted 23 January 2018 - 08:38 PM

1,3,4 & 5 are yes. There's no issue reaching the server through Cloudfare using a browser or via the android App. 2 I generated the cert using the two files provided via CF on the website in the instructions. It works sometimes and other times people say they can't connect.

Sent from my STV100-3 using Tapatalk
  • Tur0k likes this

#164 horstepipe OFFLINE  

horstepipe

    Advanced Member

  • Members
  • 1398 posts
  • Local time: 12:27 AM

Posted 24 January 2018 - 12:46 PM

Hey
I‘m thinking about trying to setup nginx and a ca authority to give my Kodi clients a client certificate.
But first I‘m having a basic question of understanding:
If one client gets one specific client certificate, can this file just being copied to another device which then gets access to the server, too? I don’t want this to be true, but I guess that’s the way it works?
What happens if two clients try to establish a connection to the server with the same client cert?

#165 Tur0k OFFLINE  

Tur0k

    Advanced Member

  • Members
  • 505 posts
  • Local time: 04:27 PM

Posted 24 January 2018 - 05:43 PM

1,3,4 & 5 are yes. There's no issue reaching the server through Cloudfare using a browser or via the android App. 2 I generated the cert using the two files provided via CF on the website in the instructions. It works sometimes and other times people say they can't connect.

Sent from my STV100-3 using Tapatalk


So PKI (public key infrastructure) is a set technologies, systems, and structure that is used to manage public key encryption. From an end users perspective the core function is that a certificate is trusted because there is a hierarchical chain of certificates that lead to a CA (certificate authority) that you and your client device trusts. Your SSL needs to list those parent certs in the certificate hierarchy. Sometimes, people only list their SSL cert and no parent. This would break the ability for your device to confirm that your cert was issued by someone thy trust.

I would recommend checking that your trusted certificate chain is complete. You should be able to use the below link to check it.
https://whatsmychaincert.com




Sent from my iPhone using Tapatalk

#166 lorac OFFLINE  

lorac

    Advanced Member

  • Members
  • 338 posts
  • Local time: 04:27 PM
  • LocationVancouver, Canada

Posted 24 January 2018 - 05:59 PM

It has the correct chain. It's the CF shared SSL cert.

 

Now that I went back to my pre ssl settings and changing it back to SSL I only get a black screen in a browser.

 

Port 443 is forward to 8920 and windows firewall is set to allow port 8920. WAN IP is correct.

 

OK it is working in browser now. Just doesn't want to work behind PIA VPN. I'll test a roku using my cell to see if it works. Time will tell if it will work for everyone.


Edited by lorac, 24 January 2018 - 06:10 PM.


#167 Doofus OFFLINE  

Doofus

    Advanced Member

  • Members
  • 10603 posts
  • Local time: 04:27 PM

Posted 24 January 2018 - 06:28 PM

Just so the thread topic doesn't get buried under all the advanced security configurations. Some of us are asking for a basic encryption option in the server settings. Not using letsencrypt or any kind of proxy. Just click this and encrypt the server data. 


  • Tur0k and afullmark like this

#168 afullmark OFFLINE  

afullmark

    Advanced Member

  • Members
  • 91 posts
  • Local time: 11:27 PM

Posted 11 April 2018 - 10:14 AM

Just so the thread topic doesn't get buried under all the advanced security configurations. Some of us are asking for a basic encryption option in the server settings. Not using letsencrypt or any kind of proxy. Just click this and encrypt the server data. 

 

I quite agree with you; I have stuck with plex because everything, in this regard (ssl), is easy. An option in settings to auto set-up everything, hand-held like, would be welcomed by me.



#169 Swynol OFFLINE  

Swynol

    Advanced Member

  • Members
  • 1044 posts
  • Local time: 11:27 PM
  • LocationWales, UK

Posted 19 April 2018 - 10:07 AM

I quite agree with you; I have stuck with plex because everything, in this regard (ssl), is easy. An option in settings to auto set-up everything, hand-held like, would be welcomed by me.

 

You cant really compare this to Plex. to me Plex is insecure. How Plex works is it acts like a man in the middle attack. So you open a browser and connect to your plex server. the Data goes from you, to the plex servers (SSL connection). Plex then sees your username/password, IP details, headers etc. From here your data is sent from the plex servers to your plex server in sort of plain text and not over a SSL connection. The websocket is then opened from your plex server directly to your web browser. From what i can gather this isnt over SSL. 

 

Every bit of data you send over your SSL connection to Plex is actually decrypted by their servers before being sent on. So in theory they could snoop on it. i.e. man in the middle attack

 

There is an option in Plex to use your own certificates. If you use your own then the data is encrypt as only you have the key/crt combo and plex cant man in the middle it. Adding your own cert is exactly the same as emby, knowledge/skill wise. 


Edited by Swynol, 19 April 2018 - 10:11 AM.

  • PenkethBoy likes this

#170 Doofus OFFLINE  

Doofus

    Advanced Member

  • Members
  • 10603 posts
  • Local time: 04:27 PM

Posted 19 April 2018 - 03:31 PM

The thing to remember here, is that by default there is no security at all. So even if emby is the middle man, there will at least be some security, for the people who have no skills to apply their own. Some is better than none. A disclaimer can be added to let people know the details of what is happening.
  • afullmark likes this

#171 Swynol OFFLINE  

Swynol

    Advanced Member

  • Members
  • 1044 posts
  • Local time: 11:27 PM
  • LocationWales, UK

Posted 19 April 2018 - 03:44 PM

doesnt emby connect offer some security? probably the same amount at plex.tv offers



#172 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 121604 posts
  • Local time: 07:27 PM

Posted 19 April 2018 - 04:00 PM

doesnt emby connect offer some security? probably the same amount at plex.tv offers

 

The login process is over https, so yes.



#173 Doofus OFFLINE  

Doofus

    Advanced Member

  • Members
  • 10603 posts
  • Local time: 04:27 PM

Posted 19 April 2018 - 04:25 PM

That's just password security. I would think you could offer more security as an add-on, and charge a little money for it?

#174 Swynol OFFLINE  

Swynol

    Advanced Member

  • Members
  • 1044 posts
  • Local time: 11:27 PM
  • LocationWales, UK

Posted 19 April 2018 - 04:25 PM

Ye so it’s basically a ddns sort of. Which is almost exactly what plex offers as standard. Except all the snooping that plex does as extra.

So comparing both, emby is actually more secure as standard if you use emby connect


Sent from my iPhone using Tapatalk
  • Tur0k likes this

#175 afullmark OFFLINE  

afullmark

    Advanced Member

  • Members
  • 91 posts
  • Local time: 11:27 PM

Posted 20 April 2018 - 08:50 AM

You cant really compare this to Plex. to me Plex is insecure. How Plex works is it acts like a man in the middle attack. So you open a browser and connect to your plex server. the Data goes from you, to the plex servers (SSL connection). Plex then sees your username/password, IP details, headers etc. From here your data is sent from the plex servers to your plex server in sort of plain text and not over a SSL connection. The websocket is then opened from your plex server directly to your web browser. From what i can gather this isnt over SSL. 

 

Every bit of data you send over your SSL connection to Plex is actually decrypted by their servers before being sent on. So in theory they could snoop on it. i.e. man in the middle attack

 

There is an option in Plex to use your own certificates. If you use your own then the data is encrypt as only you have the key/crt combo and plex cant man in the middle it. Adding your own cert is exactly the same as emby, knowledge/skill wise. 

 

Despite all this - and maybe Emby would do these things (those above) differently - I would appreciate an option in emby to set this up for me; paying a yearly fee to emby would be preferable. 



#176 afullmark OFFLINE  

afullmark

    Advanced Member

  • Members
  • 91 posts
  • Local time: 11:27 PM

Posted 20 April 2018 - 08:52 AM

That's just password security. I would think you could offer more security as an add-on, and charge a little money for it?

Yes, this is what I'd support, as an option, with a fee attached. 



#177 afullmark OFFLINE  

afullmark

    Advanced Member

  • Members
  • 91 posts
  • Local time: 11:27 PM

Posted 21 April 2018 - 05:17 AM

I personally would never open Emby up outside my home network without forced HTTPS connections. Maybe I am overly cautious but I think it is just good practice.

While Plex solution isn't ideal it does just work. No need to purchase a domain name, not need to create SSL certificates, no need to renew the certificates.

My suggestion would be for Emby to partner with a SSL cert provider and have and easy way of authenticating the cert from within the Emby dashboard.

 

Yes, to this. 



#178 afullmark OFFLINE  

afullmark

    Advanced Member

  • Members
  • 91 posts
  • Local time: 11:27 PM

Posted 21 April 2018 - 05:25 AM

Good point. I think we have mapped out what we would like to offer the spectrum of users as a user group:

1. Emby connect redesigned to function as more of a proxy.

I. Minimal user configuration.
II. Check a box pay the monthly charge.

2. Use your own cloud hosted proxy provider like cloudflare. (Should we create a published configuration guide?)

I. Requires Port forwarding on home router
II. Requires purchase of a public domain with public DNS.

3. Use the built in secure web configuration in Emby.

I. Requires Port forwarding on home router
II. Requires purchase of a public domain with public DNS.
III. Use of either self-signed or publicly trusted cert (paid).

4. Setup your own service

A. VPN

I. Requires Port forwarding on home router
II. Requires purchase of a public domain with public DNS unless you plan on using public IP address.
III. Management of a local CA for server and client certificates and vpn user accounts.

B. Reverse proxy

I. Requires Port forwarding on home router
II. Requires purchase of a public domain with public DNS unless you plan on using public IP address.
III. Use of either self-signed or publicly trusted cert (paid).
IV. Management and configuration of the reverse proxy.
V. Possible management of a local CA for client certificates.


Sent from my iPhone using Tapatalk

 

yes to no. 1. 



#179 adrianwi OFFLINE  

adrianwi

    Advanced Member

  • Members
  • 307 posts
  • Local time: 11:27 PM
  • LocationScotland

Posted 21 April 2018 - 05:39 AM

Whilst securing a service you are exposing to the internet isn't generally a simple click and go, it is not exactly rocket science either.  

 

If you can't commit a little time to learning and understanding how to set it up and what it's doing, you probably shouldn't be exposing the service(s) to begin with?


  • Swynol, Spaceboy, Tur0k and 1 other like this

#180 afullmark OFFLINE  

afullmark

    Advanced Member

  • Members
  • 91 posts
  • Local time: 11:27 PM

Posted 29 April 2018 - 02:05 PM

Whilst securing a service you are exposing to the internet isn't generally a simple click and go, it is not exactly rocket science either.  

 

If you can't commit a little time to learning and understanding how to set it up and what it's doing, you probably shouldn't be exposing the service(s) to begin with?

 

Then I do think that there should be an addition to the wiki section: "How to setup an SSL certificate with emby for Windows, Mac and Linux". Any guides are a bit all over the place and rather disconcerting to new members or those considering switching from plex. Plus, it would make any solution slightly more official and give peace of mind, as opposed to finding a solution via the forums. 


  • darkassassin07 likes this





Also tagged with one or more of these keywords: Secure Connect, Security, Remote Access, Encrypted

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users