Security 101: Secure Connections

[pwhodges 1532]

1 hour ago, Blam84 said:

Interesting. I'm curious what you mean by Admin? Because I'm pretty certain all Emby users are not Admins [...]  Are you suggesting these folks need to be just as educated? 

If you have a computer connected to the Internet, you owe it to yourself to learn about networking and security - which are admin functions.

Paul

[pwhodges 1532]

1 hour ago, Blam84 said:

That is correct, yes. And for those who don't care about being tracked, they would choose this option.

Many do - and you are free to.

Paul

[Q-Droid 651]

2 hours ago, nahtay said:

I'm close I think. I just have never done a reverse proxy. I have a domain. I installed docker. I just don't know how to get it working to enable SSL.

Get Caddy, also available as a docker image. It is much easier to get working and less prone to errors than nginx. By this I mean user inflicted configuration errors.

 

Edited April 4 by Q-Droid

[Q-Droid 651]

3 hours ago, Blam84 said:

Just hopping in to say that this thread has been active since 2018. From a basic customer service standpoint, offering a solution to those who don't want to get a college degree in networking just to use Emby securely is something the Devs should consider. I don't know the impact of offering this (cost, maintenance etc) so I concede if the demand is too much. But offering this as an OPTION and not a REQUIREMENT seems reasonable.

I'm just curious why this hasn't been developed and offered yet?

I think you sort of answered your question. This thread goes back to 2018 and the requests for built-in TLS go back longer.

It hasn't been done because it's difficult and costly to take on what's needed to provide this for all users who may want it. It is about cost and maintaining the Emby position of protecting user privacy.

 

 

[Blam84 11]

4 hours ago, Q-Droid said:

I think you sort of answered your question. This thread goes back to 2018 and the requests for built-in TLS go back longer.

It hasn't been done because it's difficult and costly to take on what's needed to provide this for all users who may want it. It is about cost and maintaining the Emby position of protecting user privacy.

 

 

And that's totally fair. I do think it will be the ultimate cause of Emby's demise, or at least cementing a position of relative obscurity. But we'll see how well this comment ages.

[Q-Droid 651]

1 hour ago, Blam84 said:

And that's totally fair. I do think it will be the ultimate cause of Emby's demise, or at least cementing a position of relative obscurity. But we'll see how well this comment ages.

People have been saying the lack of one thing or another will be the end of Emby, yet this number keeps going up.

[Happy2Play 8293]

3 minutes ago, Q-Droid said:

People have been saying the lack of one thing or another will be the end of Emby, yet this number keeps going up.

Not to mention all the users outside of Connect.

[Q-Droid 651]

The thing is as technology progresses what may be considered advanced or difficult is always moving downstream. More companies are offering network edge technologies on consumer devices so it's only getting easier to secure networks, devices and applications in the home. There could be little to gain for the Emby team to pursue this as a service or built-in option because eventually it might not be needed. Options like Let's Encrypt have exploded in just a few years and is already included with many devices and software. An area the Emby team could improve is documentation: create and maintain easy to follow guides for the more popular options available. Actual documentation rather than pinned or re-linked forum posts, with links from the web app like the current "Connection Help" from the server dashboard. 

Some day in the not so distant future this might be transparently built-in to everything.

 

Edited April 5 by Q-Droid

[ebr 14919]

8 hours ago, Q-Droid said:

Actual documentation rather than pinned or re-linked forum posts

You are aware of https://emby.media/support/articles/Home.html right?

I'm not saying it is 100% complete but its not like we have nothing...

[Blam84 11]

9 hours ago, Q-Droid said:

People have been saying the lack of one thing or another will be the end of Emby, yet this number keeps going up.

Right. And Plex has 25 million. And there's a good reason for that. As someone who recently moved from Plex to Emby purely because of privacy issues, I can tell you that the path has not been easy. And I'm not a 90 year old technophobe.

[Q-Droid 651]

1 hour ago, ebr said:

You are aware of https://emby.media/support/articles/Home.html right?

I'm not saying it is 100% complete but its not like we have nothing...

I am. I should've emphasized the maintain part. Some are good and some are dated or lacking. Needs work... 

[crusher11 854]

6 hours ago, Blam84 said:

Right. And Plex has 25 million. And there's a good reason for that. As someone who recently moved from Plex to Emby purely because of privacy issues, I can tell you that the path has not been easy. And I'm not a 90 year old technophobe.

So you moved from Plex to Emby specifically because of privacy concerns, and you think Emby will fail unless it compromises your privacy the way Plex does?

[Blam84 11]

6 hours ago, crusher11 said:

So you moved from Plex to Emby specifically because of privacy concerns, and you think Emby will fail unless it compromises your privacy the way Plex does?

I think that if Emby doesn't offer options that "regular" people can implement, they will limit their customer base.

[Happy2Play 8293]

31 minutes ago, Blam84 said:

I think that if Emby doesn't offer options that "regular" people can implement, they will limit their customer base.

Well all the how to/guides are everywhere.  As It will come down to a user locking down their network and hardware.  There is not a product in this world that will do everything for you.

[Blam84 11]

11 hours ago, Happy2Play said:

Well all the how to/guides are everywhere.  As It will come down to a user locking down their network and hardware.  There is not a product in this world that will do everything for you.

Oh, but there is. Most software today requires running a simple install program, clicking "yes" a few times during install, and moving forward with using the software. Emby is far from that. My initial comment was simply to make sure that the Devs realize that installation requires above-average technical skill. I've worked in databases and tech project management (not networking) for many years and I have had multiple issues. I am also stubborn, so I stuck with it. Many, many people who lack my stubbornness, or have less technical skill than I do, would have packed their bags. As I have said multiple times here, if that is a business decision for those in charge, so be it. Nothing wrong with having a high quality product, with less users, that is sustainable and provides a niche service....as long as everyone realizes that this business model means there is a ceiling for users.

[rbjtech 4282]

1 hour ago, Blam84 said:

Oh, but there is. Most software today requires running a simple install program, clicking "yes" a few times during install, and moving forward with using the software. Emby is far from that. My initial comment was simply to make sure that the Devs realize that installation requires above-average technical skill. I've worked in databases and tech project management (not networking) for many years and I have had multiple issues. I am also stubborn, so I stuck with it. Many, many people who lack my stubbornness, or have less technical skill than I do, would have packed their bags. As I have said multiple times here, if that is a business decision for those in charge, so be it. Nothing wrong with having a high quality product, with less users, that is sustainable and provides a niche service....as long as everyone realizes that this business model means there is a ceiling for users.

If you are just referring to a https connection, as opposed to http - then maybe.   But anybody that is serious about hosting an emby server on the public internet and understands the risks associated with this, will start to deploy industry standard mechanisms - such as reverse proxies,  threat management, packet inspection, network isolation etc etc.     Is emby expected to incorporate all these into their software ?  of course not, but they do need to work with them.  Which they do - emby has 'reverse proxy' settings for this very reason.       This,  I believe,  is what @Happy2Playis referring to when he says no product does all of this (and never will) - and he is correct.

I do however tend to agree that providing an 'easy' option of remote access in 2024 - does imply it is secure (https) when it actually is not - and no notification/risks of this are given.   

To their credit, Emby have made some good advances in security of the product over the last year or so (possibly driven by the vulnerability breach) but they still have this glaring http only issue that needs some options.   

Edited April 6 by rbjtech

[richt 73]

This is a subject that really gets to me.  Too many software applications, not just Emby, advise users that their program can easily be connected to the Internet and shared with friends, etc.  And then all they do is advise them on how to configure their Internet router to make it happen.  From my perspective as a (now retired) network engineer these vendors, Emby included, need to be a lot more vocal in advising users to take greater precautions.  Any Internet port exposed to your network is an attack vector that somebody out there will sooner or later figure out how to exploit if it is not secured.  Granted a home network is not a high priority target, but if some malicious actor wants to build a botnet, any available PC will do.

SWAG with nginix, fail2ban, and Certbot all in one package is really the bare minimum that should be set up before anyone exposes an application like Emby to the Internet.  It would be in Emby's best interest to make reference to this in their documentation that discusses Internet access.  It would also be so easy to supply tested sample nginx or apache reverse proxy configurations in KB articles along with dire warnings about the potential consequences of not taking steps like this.  Also, why not an entire forum section devoted to reverse proxies, fail2ban, etc..  There are lots of people in this community that could help out others with these issues. 

 

Edited April 6 by richt

[Happy2Play 8293]

6 minutes ago, richt said:

Also, why not an entire forum section devoted to reverse proxies, fail2ban, etc..  There are lots of people in this community that could help out others with these issues. 

@Abobadercan this be done?  Then a mod could move existing topics into the catagory.

 

[vaise 307]

1 hour ago, Happy2Play said:

@Abobadercan this be done?  Then a mod could move existing topics into the catagory.

 

I vote for that too.  Not that I have issue as I put security first.  

I don’t blame emby for this at all.  Same for lots of apps.  You can google radarr, sonarr hacks etc, same easy access for the internet but then people lose all their tv shows and movies.

Same as bank scams.  People regularly give out their details will little/no checks and then blame the banks for not providing better security and want their money back.
 

[Abobader 2947]

3 hours ago, Happy2Play said:

@Abobadercan this be done?  Then a mod could move existing topics into the catagory.

 

Yes it a good idea, we will need a name for this forum section, @Luke @ebr what you think we go a head with this?

[TMCsw 122]

4 minutes ago, Abobader said:

we will need a name for this forum section,

How about something simple like 'Security' or 'Securing emby' 

[reneboulard 31]

Just my 2 cents:

Having anything exposed to the internet is a potential problem.  You are responsible for the security of your home network.  When you open a door to the internet the world is watching you (or scanning you for vulnerability).  You must setup a gate-keeper to keep it secure.  You cannot rely on your ISP or its equipment for doing so.

All information for securing your emby server (and your home network) that is expose to the internet is available in the forum.

However, only tinkerer or an advance user can easily sort out the different solution and implement them.

I agree that having a section dedicated to security would be a plus.

But different solution should be proposed for different skill factor of the user.

example : 

Basic for all solution : All account in emby have to be password protected.  Admin account to be only reachable in local network not from internet. 

Very easy : Use a commercial VPN Mesh Network.

Easy :  DDNS to point to your home IP, Set up a VPN server on your router or computer.

Medium : DDNS to point to your home IP,  SSL certificate directly in emby. 

Advance : DDNS to point to your home, reverse proxy,  SSL certificate, Firewall etc. 

[Abobader 2947]

I still see (as personal view) we add a forum section to help everyone, seeking advise on how to doing what we should do, they are no right or wrong thing, but what fit your need best.

Yes I know most of you are export in this area, but think of "us" the novice one, to do the correct steps to secure our system.

Yes again, the net is full of these type of subjects, but I do not see any harm we have a section here.

I am just waiting for @Luke and @ebr thought about this.

[Q-Droid 651]

13 minutes ago, Abobader said:

I still see (as personal view) we add a forum section to help everyone, seeking advise on how to doing what we should do, they are no right or wrong thing, but what fit your need best.

Yes I know most of you are export in this area, but think of "us" the novice one, to do the correct steps to secure our system.

Yes again, the net is full of these type of subjects, but I do not see any harm we have a section here.

I am just waiting for @Luke and @ebr thought about this.

A dedicated section will become as cluttered and of little use as all of the hundreds of threads about the same things that are now scattered all over these forums. Maybe a dedicated section will bring them together to one place but that won't help most find the right answers.

You're going to find yourself spending a lot of time splitting threads and moving posts.

Forum members don't search. New forum members don't seem to know that search exists. Some people don't know what to search for. 

I guess any organization is better than none.

 

 

Edited April 7 by Q-Droid

[Abobader 2947]

@Q-Droid True and good point above.

My idea as this:

When the admin's team agree about this, that we will moved the correct answer for these threads to that new forum, as no one will be able to start new threads in that new forum.

This way, it will be clean and well organized in the matters of speaking.