Is Emby Connect using SSL?

[deme74 2]

Hi

 

I have my server set to require SSL for remote connection and only the secured port is forwarded by my firewall. However, when using Emby Connect the browser is using an unsecured connection (see image). What am I missing?

 

[ebr 14959]

Hi.  That's the online web app as opposed to Connect (which is just an easy way to find your server).

 

If you want to use SSL, Then you need to go to https://app.emby.media and log in.

 

Or, just your direct domain name.

[lightsout 144]

Hi. That's the online web app as opposed to Connect (which is just an easy way to find your server).

 

If you want to use SSL, Then you need to go to https://app.emby.media and log in.

 

Or, just your direct domain name.

Will this method allow me to use SSL with Emby without doing anything on my part like buying a certificate?

[ebr 14959]

Will this method allow me to use SSL with Emby without doing anything on my part like buying a certificate?

 

No.  You need a proper SSL setup on your end but you don't necessarily have to purchase a cert (there are free options).

[lightsout 144]

No. You need a proper SSL setup on your end but you don't necessarily have to purchase a cert (there are free options).

ok thanks ebr.

[deme74 2]

Thanks for the reply.

 

I got there by pressing sign in on the Emby home page which is opening an unsecure page.

 

In know I can go directly to my server, also the link you provided is OK, my question was how could an unsecured connection be made to a server which is set up correctly and should accept only secured connections?

[deme74 2]

No.  You need a proper SSL setup on your end but you don't necessarily have to purchase a cert (there are free options).

It is set up properly, with a Let'sEncrypt certificate. If I use your link or go directly to the server all is fine and with a green sign on the browser.

[CChris 58]

if you are using https://.... and it's working with the letsEncrypt certificate, then - what's your issue?

do you want, that also https:// will be used, when the user is trying to connect with http:// ?

Then, you need to redirect http:// requests to https:// which will usually be done with virtual hosts.

I will show you how I did this on my synology nas:

Emby itself is not using any "SSL" options.
It is only setup to 8096 on http://localhost:8096

everything else will be done by ReverseProxy (https://myapp.blabla.de -> to http://localhost:8096)
to prevent that emby can be reaced through http:// I have also setup a virtual host, which is redirecting anything comming on http://myapp.blabla.de to https://myapp.blabla.de) -> which will be then again my reverse proxy.

So, the user is always using the secured https address

[deme74 2]

I can access my server directly via https with no problems on port 8920 which is forwarded by my firewall. If i try http on port 8096 it will not work as the firewall will block it. Also the Emby server is set to require secure connection for all remote connections. So how come I can connect unsecurely via EmbyConnect?

Edited February 25, 2019 by deme74

[CChris 58]

Okey.
I've just checked the "app.emby.media"
 

This seems to be a "portal" or "gateway" provided by emby.media itself, which is then redirecting to the server which are registered to your emby online account.

I never noticed this possibility until now - I am only using my own URL for connecting to my Emby Server.

[deme74 2]

I’m new at Emby and I’m used with the Plex online login so this is why I stumbled upon it [emoji3]

 

Still, the question remains. How come an insecure connection can be made to a server which should not allow insecure connections?

 

 

Sent from my iPhone using Tapatalk

[Luke 37253]

I’m new at Emby and I’m used with the Plex online login so this is why I stumbled upon it [emoji3]

Still, the question remains. How come an insecure connection can be made to a server which should not allow insecure connections?

Sent from my iPhone using Tapatalk

The check is only against the protocol. If you have setup ssl you can now use the https version of the online web app.

[deme74 2]

So, if I’m getting this right, the http version of the web app is working even if the server is configured for SSL only?

 

 

Sent from my iPhone using Tapatalk

[ebr 14959]

It is impossible for us to bypass the SSL requirement if that is how you have configured it on your end.

 

The screen you brought up is just looking at the url and seeing "http" and, therefore, assuming an insecure connection.

[deme74 2]

Sorry, web servers are not my area of expertise. So basically it’s reported incorrectly as insecure by the browser although the connection is using SSL?

 

 

Sent from my iPhone using Tapatalk

[CChris 58]

basically, the page "app.emby.media" is not ssl secured.
But this is not based to your server-settings, since it is not your server...

this page is part of the "emby.media" domain... and using your "community" login to connect to your profile - where you can then - select your server.
This part should be secured if you have enabled ssl and using a valid certificate for your browser.

 

But since the Address is still pointed to app.emby.media the browser is showing an unsecure connection.

That's what I understood after realizing, that there is such an option^^

[deme74 2]

That would be my understanding as well. However, I consider the unencrypted connection between the browser and the app a potential vulnerability and perhaps it’s a good idea to default the link from the Emby home to the https version of the web app unless there is a strong motivation to keep the http as default.

 

If someone prefers to not use https then they can use a direct link to their server. The importance of secure connections cannot be stressed enough these days and I believe Emby should offer only secure connection on their website. It’s better to stay of the safe side.

 

 

Sent from my iPhone using Tapatalk

[CChris 58]

but to be honest?
I don't really care about the option "app.emby.media".
I know the URL where I can connect my emby - and I know, that this traffic is secured.
I don't even care if http or https, since this will be managed by my reverse proxcy and a virtual host before emby will be reached.
Emby finally is completely running without ssl on my server - since the connection to my server itself is the secured part.

I was following another discussion in another topic, - which was a bit older... and from my opinion:
Running a Server and want to have a sequre / encrypted connection requires manual setup of all those things.

I'm not a fan of "connector" services like they are used by plex (one major reason why I haven't finally used plex and ended up here^^)

 

[deme74 2]

I agree with you and I am considering a similar kind of setup if I’m switching to Emby. Until then I’m exploring all kinds of way my technologically challenged friends and family can access my server and so I see the option is there I tried it and seemed like a vulnerability.

 

I don’t want to go into details of the way Plex handles it but as a principle, they recognized that secure remote connections are a must these days and that the majority of their users will not be able to properly setup and maintain a secure server so they set up a way to do it without requiring any user action. We may not like some of the details of the solution but the ones arguing are the ones who could setup a secure servers anyway. What would happen to the others who may ignore or underestimate the dangers of unsecured connections?

 

Please @@Luke, @@ebr, take a look at this and if the http version of the web app is the default by mistake please change it to the https version. If you need the keep the http version at least put a notification that https would be recommended.

 

Thanks for listening

 

 

Sent from my iPhone using Tapatalk

Edited February 26, 2019 by deme74

[CChris 58]

I would like to go a step deeper and allow a setting in the administrator setting which allows the admin if "app.emby.media" can be used or not.
As far as I understood, it would not work, if you have not connected your emby user with the community user - right?

[deme74 2]

Right

 

 

Sent from my iPhone using Tapatalk

[CChris 58]

ok.
then, another question:

What would be the goal if app.emby.media will be ssl secured, but your server itself isn't because the admin does not know hwo to?

Pls. don't misunderstand my point - I am in the IT business - so, I have another background and maybe another point on those topics, but If I setup a Server on my own, it is my responsibility to secure this connection, if I make it available from outside my network.
Then, it is my responsibility to do all the stuff with certificates, and so on.

In this case, I already know on which URL I reach my server - and how I can login securely.
What is the point, why I should use emby connect - and, if emby.connect will be ssl secured, but my serverer is not - what's the benefit or what's the security at all?

at least the connection with my server after login into emby connect should be not encryted in this case.

I Agree, that app.emby.media should have a ssl encryption to prevent that usercredentials could be sniffed by someone... but on the other hand... I don't know, how emby.connect is exactly working...
The most important part still seems the own server to me, and this isn't something the emby team can handle if the administrator isn't aware how to set such things up.

I do not know, how a simpler solution should be implemented into a self hosted server application, without implementing a complete webserver-architecture... and other options.

Let's face it like it is:
1) Emby is working just like most other "server" Applications - and the administrator has to think about security
2) I don't know, how plex is handling such things... it might be, that the solution is at least not as secure as you might think (as long as you have "plex" as man in the middle)
3) emby.connect works similar - and is a "man in the middle" system to connect the you with your own server.

The Only reasonable way why I could use emby connect:

If I have accounts on several different emby servers.
e.g.

I have my own server
two of my friends have one

on all servers, my user is connected to emby connect.
Then, I can just select the server I want to use right now from app.emby.media - without remember each url of the server.

But again, if the server itself is not secured, any ssl setup on emby connect would not really make sense.

I don't really see a way how the emby developers should / could make it "easier" or prevent that the administrator should think about what he's doing...

[deme74 2]

We're in the same business

 

ok.
then, another question:

What would be the goal if app.emby.media will be ssl secured, but your server itself isn't because the admin does not know hwo to?

 

The goal is to have have all of the potential connection components secure precisely because my server is secure. I mean if my server is secure then the http version of the web app is the weak link. If my server is not secured then it doesn't matter but this is not the scenario I'm targeting.

 

The emby connect credential page is secured but then it opens the web app which by default is not.

 

You are right that each admin is responsible for its server. I could argue that for us IT people things may be simple and straightforward but not for the average user and I'm not sure that Emby is intended only for advanced users. For instance I had a small hiccup setting up SSL because the server config is asking for the domain name when in fact what is needed is the host name, the external FQDN, and even the example provided there the host name was not used so things can get a little confusing even for users with a little knowledge in the area.

 

My intention with the post was not to debate the who is responsible for what and how to access the server but merely to point to a potential vulnerability in accessing an otherwise secure server.

[CChris 58]

I agree.
The average user of emby isn't a server architect.
But honestly... those people should avoid to make ANYTHING available from outside their home network...
Just what I've seen in several other discussions when it came to "portforwarding" and things like this....

How to secure their network with SSL is the last "problem" they will have on their list then...
I'm just trying to get things connected... I still don't really see the benefit from using app.emby.media when I setup my home server, make it available from the outside and use (most probably in those situations) dyndns.
Then I know, who I can connect my server web app, which is again secured if it was setup correctly.

I only need app.emby.media if I want to use several different servers I want to connect to.
And then, I need to link my account on each of these servers with emby connect...

And my thoughts are more, that enabling secured connection on app.emby.media will suggest some users, that their server might be secure, even if they haven't setup anything else on their server.


 

[deme74 2]

 

And my thoughts are more, that enabling secured connection on app.emby.media will suggest some users, that their server might be secure, even if they haven't setup anything else on their server.

 

 

True. Perhaps a notification that the connection to the server is not secure in the web app or something with clear red letters in the server dashboard letting them know without a doubt that the server is not using secure connections. This way it's an admin informed option to let remote connection go unsecured and accept the risks involved. I saw a lot of posts here with step by step instructions on securing the server so if there is a will there is also a way.