Https: Is Emby secure?

[pir8radio 1292]

This was on a public wifi provided by telus in a small town in canada. It only happened for about 10min then returned to normal.

 

I digress, the point there was to show you don't have to piss someone off or do something to make yourself a target. Hackers will attack devices/software they think are vulnerable regardless of where they are or who owns them.

When it comes down to whether or not your particular server will be attacked the answer is its very unlikely. But when you consider the number of servers there are or will be and how many of them will be run by people who just don't know any better. Is it not worth making sure those servers have an acceptable level of security?

 

   I knew where you were going with it...   But again, you are focusing on a very small part of security https, and again the https that emby supplies is good enough for home media.   You know how many emby servers I can find where their accounts have no passwords set?  https won't help them, bottom line it's up to the user of the system to make it secure.   Lol if you buy a new front door for your house, it doesn't come with a lock...  You have to buy and use the lock, how is it the door manufacturers fault if you don't buy a lock and a bad guy walks in?  

 

Sorry...  I'll stop...   I don't believe anything can be secured, that's why I argue the point.  I don't mean to get you worked up..  I'll be quiet, carry on with the discussion 

Edited June 26, 2018 by pir8radio

[darkassassin07 423]

Lol if you buy a new front door for your house, it doesn't come with a lock... You have to buy and use the lock, how is it the door manufacturers fault if you don't buy a lock and a bad guy walks in?

 

Sorry... I'll stop... I don't believe anything can be secured, that's why I argue the point. I don't mean to get you worked up.. I'll be quiet, carry on with the discussion

True, however if I buy a new door that does come with a lock and I use that. Then later find all the internal parts are made of plastic so you could have gotten in with a screwdriver id be pretty pissed off.

It looks like a lock and keeps the door closed, but is it going to put up any real resistance to someone that happens across it and decides they want in?

 

 

I do agree, there is no such thing as true security. But things can be improved to make attacks more difficult with a relatively small amount of work as far as I understand it.

 

 

 

Your not winding me up or anything, it's interesting to see others take on this. Im just surprised to see people seemingly against improving security.

[Jdiesel 1114]

Another thing to consider is client support. Some clients like Rokus are very picky about SSL certs. If Emby gives too many options there is the risk that it breaks compatibility with some clients which leads to the finger being pointed at Emby. For this reason I like the idea of a user configured reverse proxy.

 

Lots of ways to increase security but always at a cost of convenience, complex passwords, non standard ports, IP white/black lists, fail2ban, etc. For some us webserver security is a career for others a hobby but I'm guessing the average user just doesn't care. I guess what I'm getting at is that is is already a lot of ways one can improve the security of their server should they choose while not interfering with the average users desire for convenience.

[darkassassin07 423]

It just seems idk... Lazy? For lack of a better word. There are a couple relatively easy changes that would increase security without limiting compatibility to anything you would actually see accessing emby but they are not implemented because its easiest to use default and be done with it.

 

Ah well, I have said my piece so I guess I'll close my trap for a bit. Just trying to help those that, like me last month, just don't know any better.

 

Would you guys at least be willing to look into why Linux and FreeBSD only serve the main cert and not the full chain provided to them in the pfx? That just seems odd.

Edited June 26, 2018 by darkassassin07

[pir8radio 1292]

Would you guys at least be willing to look into why Linux and FreeBSD only serve the main cert and not the full chain? That just seems odd.

I’m sure the Emby team is already looking at any ways they can to improve security, “us guys” are just users like you throwing in our two cents lol. So don’t think we speak for the Emby team. :-)

Edited June 26, 2018 by pir8radio

[darkassassin07 423]

I’m sure the Emby team is already looking at any ways they can to improve security, “us guys” are just users like you throwing in our two cents lol. So don’t think we speak for the Emby team. :-)

I know, That was addressed to the emby team really. Im sure @Luke at the very least is reading this but he doesn't seem to think there is a need for change. Edited June 26, 2018 by darkassassin07

[ebr 14918]

I know, That was addressed to the emby team really. Im sure @Luke at the very least is reading this but he doesn't seem to think there is a need for change.

 

We could make it completely secure - but then almost impossible to use.

 

This is a balancing act.  The system has to be easy enough to use for most people to be able to use it.  We do what we can but the end user must accept some responsibility for locking their own house.

 

Just look at all the posts out here that say "Emby doesn't work when I'm away from home.  Its broken.  Fix it." and every single one of them comes down to network security configuration.

 

If we can identify specific improvements in this area that still allow people to use the system without having to have a degree in internet security then, by all means, we will look to implement them.

 

Thanks.

[Abobader 2947]

We could make it completely secure - but then almost impossible to use.

 

This is a balancing act.  The system has to be easy enough to use for most people to be able to use it.  We do what we can but the end user must accept some responsibility for locking their own house.

 

Just look at all the posts out here that say "Emby doesn't work when I'm away from home.  Its broken.  Fix it." and every single one of them comes down to network security configuration.

 

If we can identify specific improvements in this area that still allow people to use the system without having to have a degree in internet security then, by all means, we will look to implement them.

 

Thanks.

 

 

+1

 

Otherwise Emby will go to the same road end as MS WHS did.

[darkassassin07 423]

If we can identify specific improvements in this area that still allow people to use the system without having to have a degree in internet security then, by all means, we will look to implement them.

 

Thanks.

- Enable TLS1.2 (the current standard)

- Disable SSL V2/3 these are insecure and unnecessary for anything you would find accessing emby

-Correct linux and freebsd not serving the full cert chain (this one is less hardening security and more just fixing a bug)

 

None of these changes should make things any different for end-users setting up their servers but will significantly improve security at least as far as https goes.

 

Failing that the simplest solution would be to make it more clear to users that the built in https really is just a very basic setup. For any real security you should be exploring other means.

When I setup my server I just assumed you would have provided some fairly decent security where you expected it to be directly exposed to the internet by someone who potentially doesn't know to explore further than the instructions they were given. Especially since there were no options to configure that further.

 

I can live with Cs and Ds, but there is no reason to be providing 'F' level security for anything past your own personal use.

Edited June 27, 2018 by darkassassin07

[Happy2Play 8292]

But all of security comes from the underlying OS correct?  So if the user is maintain a OS that has been abandoned and refuse to upgrade is it Emby's fault?  Should Emby move on and eliminate support Old systems that users want to use?

 

Should Emby stop supporting Windows 7 since it got a "F"?  Or should the User upgrade to a more secure system?

Edited June 27, 2018 by Happy2Play

[darkassassin07 423]

But all of security comes from the underlying OS correct?

To some extent sure. You are not limited by hardware or software in this case, its down to how the software is configured. These results are from the default ssl settings for each os utilized by emby, but that doesn't mean you cant change configuration to improve things.

 

If I can setup an NGINX server on a windows 7 machine that gets an A+ I'm sure emby can manage at least a C.

Edited June 27, 2018 by darkassassin07

[Happy2Play 8292]

Right, you can an additional layer to the outdated OS.  As a normal user this will not likely happen.  So in the end there isn't much Emby can do for those users.  The question can't really be "Is Emby secure".

[darkassassin07 423]

Right, you can an additional layer to the outdated OS. As a normal user this will not likely happen. So in the end there isn't much Emby can do for those users. The question can't really be "Is Emby secure".

I dont understand what you are saying...

 

 

On the exact same OS (win 7) I can host a web server using NGINX which scores an A+

 

I can also host an Emby server which scores an F

 

If I can configure a web server using one piece of software that utilizes the current standards without using old outdated protocols

 

Why would another piece of software on the exact same system be incapable of doing the same?

 

Emby isn't incapable of having decent security across all platforms, it just hasn't been setup to do so. As luke has said it was setup with the default parameters for each system and left at that. Because that was the easiest way to get it working.

Edited June 27, 2018 by darkassassin07

[ebr 14918]

I dont understand what you are saying...

 

 

On the exact same OS (win 7) I can host a web server using NGINX which scores an A+

 

I can also host an Emby server which scores an F

 

If I can configure a web server using one piece of software that utilizes the current standards without using old outdated protocols

 

Why would another piece of software on the exact same system be incapable of doing the same?

 

Emby isn't incapable of having decent security across all platforms, it just hasn't been setup to do so. As luke has said it was setup with the default parameters for each system and left at that. Because that was the easiest way to get it working.

 

You want Emby to provide you with a built-in reverse-proxy?

[pir8radio 1292]

You want Emby to provide you with a built-in reverse-proxy?

 

    No, I get what they are saying.  Why can one piece of software achieve an A+ but another piece of software on the same PC not?   I think there is a lack of knowledge as to how emby's web server using (i assume) .net core works using pieces of software from the OS,  vs a stand alone application like nginx which has everything built in?

[Luke 37090]

We will disable SSL V2/3. Thanks.

[pir8radio 1292]

We will disable SSL V2/3. Thanks.

 

lol  huh?  

[Luke 37090]

That's essentially all this is about, is that older protocols are allowed.

[pir8radio 1292]

That's essentially all this is about, is that older protocols are allowed.

 

Oh, yea i bet it would pop the "grade" up...  but I really dont think its an issue...  But none of the emby clients use ssl 2 or 3 anyway...  and you can make people happy... win win.   

Edited June 28, 2018 by pir8radio

[Luke 37090]

Oh, yea i bet it would pop the "grade" up...  but I really dont think its an issue...  But none of the emby clients use ssl 2 or 3 anyway...  and you can make people happy... win win.   

 

Yes but the test software that creates the A-F grade checks for it and that ends up affecting the score.

[Luke 37090]

but why does Emby running on FreeBSD not have TLS 1.2 available?

It does now if you have mono 5.10 which just a few days ago was finally merged into freebsd ports. Mono is too big to bundle into an application so we have to use the version from freebsd ports. Unfortunately, whoever merged it inadvertently left out the btls library that is needed, so the freebsd crowd is waiting on that to be resolved, you can read here:

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=229247

 

Prior to a few days ago though, freebsd only had mono 4.8.1 available so that is why it has been stuck on older tls versions. There is no .net core for freebsd as of yet.

[Luke 37090]

ok cool.

Also I though we had .Net core everywhere so was confused as why there was such differences between the platforms.

 

there are only a few platforms and architectures still on mono and freebsd is one of them. MS is not yet providing a freebsd .net core runtime. We could try to build the runtime ourselves, but we do not have the bandwidth to try and be trailblazers and help them figure out all of the things they need to figure out:

https://github.com/dotnet/corefx/wiki/Building-.NET-Core--2.x-on-FreeBSD

[darkassassin07 423]

No, I get what they are saying. Why can one piece of software achieve an A+ but another piece of software on the same PC not?

Thats exactly what I mean.

 

 

I think there is a lack of knowledge as to how emby's web server using (i assume) .net core works using pieces of software from the OS, vs a stand alone application like nginx which has everything built in?

There probably is. I'm not familiar with how emby is put together, or even what .net core is. Haven't quite gotten that far in my technological endeavors.

 

I don't understand why emby wouldn't have access to things like TLS1.2 on all modern systems, its been in use since 2006. Even if it wasn't apart of

Windows 7 at its release, its been 12 years. Updates happen.

 

Regardless, everyone of those tests shows tls1.0 to be enabled so SSL v2/3 can be disabled. Thats the biggest security problem I see, simply the fact that SSL is an option. You don't need extra components to disable something.

 

 

That still doesn't explain why linux/freebsd would fail to server the whole cert chain. Any comment on that?

 

 

/edit it seems there was a whole page I hadn't seen quite yet. Great to see SSL being disabled. Thanks @@Luke

 

@@pir8radio while none of the clients use it by default; its possible to tell the server a client only accepts ssl v2,downgrading the connection and making it vulnerable

Edited June 28, 2018 by darkassassin07

[Q-Droid 650]

That still doesn't explain why linux/freebsd would fail to server the whole cert chain. Any comment on that?

 

Agreed. The depth=0 response for the cert chain is causing problems with CA verification. Is there an ETA for this fix?

[Luke 37090]

The older protocols have been disabled for the next release.

 

FreeBSD is limited by the capabilities of the older mono runtime that is in FreeBSD ports. There's nothing we can do about that until the FreeBSD community gets the mono version updated. Please see my comments from a few days ago.

 

Thanks.