Emby Connect, security and SSL

[TheRenegade 2]

OK, so this is going to be a several part question, or have several questions I guess is the better way of putting things.Really I am looking for a best practices for security and my Emby.

 

I want to have access to my Emby sever while out of the house, mainly just for access while at work. So I have linked my server to Emby connect, added passwords to all the users (kids/wife), enabled PIN for on home network, leaving that blank (great option btw), and hidden the only account with Admin access. So I guess my questions are

 

1. How secure is Emby as a whole?

 

2. I have a dynamic IP, so Emby connect is great for not needing to remember IP of the server, but then is there is any point to using SSL? As wouldn't setting up a Dynamic DNS for the IP be a huge pain (I have a shitty router that won't update a DNS service)

[Luke 37132]

Hi, yes SSL is still valuable to setup if you're going to be using remote access.

[Luke 37132]

Here's more of an overview of why it is important:

https://www.sslshopper.com/why-ssl-the-purpose-of-using-ssl-certificates.html

 

Thanks.

[Carlo 4330]

I'm going to go out on a limb and say it's not that important - hold the rocks and stones people

 

The real concern is man in the middle attacks and you "giving away" your username/password in clear text over the internet.  If you are trying to use this from work it's probably not a huge concern.  What you can do if you "must" use Emby this way without SSL is:

 

Do NOT use your admin account to login anywhere not local to the server.

Do not give remote access to anyone but yourself (and only to a non admin account)

 

Make sure you have no destructive features turned on for the remote access account you are going to use in case someone does get your username/password.  So don't allow deletes or anything like that.

 

You can always use a "throw away" account like "tinman", "roofus" or any goofy name if you like that basically has "read only" access to Emby.

 

Now think about it.  Even if someone got access by a man in the middle attack it's only for this one account since it's the only authorized remote account.  You of course used a password not used anywhere else (just in case).

 

What is the worst that would happen in this circumstance?  Someone hacks your username/password and gets to watch your movies/shows for free?

You can help mitigate this by using the Playback Reporting Plugin keeping an eye on the account you setup for remote access.

 

I think people get bent out of shape over SSL to much in specific situation like this where you control everything and can be smart about the account credentials and password used (not the same as you use anywhere else).

 

Now with all that said, it's still far better to get your system setup to use SSL and then you don't have to worry about this type of thing.