MoviezMcGee 2 Posted September 6, 2024 Posted September 6, 2024 Emby has no built-in way to secure the LAN connections. This means all local network activity is unencrypted. Any logins or streaming data or images loaded over the LAN will be unencrypted and that means someone on your network could easily capture all the packets and tell what is going on. That is really bad. You might think it is unlikely but guess what? People get hacked all the time. PC games have anti cheat which is easy to hack and someone might use it to connect to the local network and then spy on traffic. One minute you are getting a victory royale in fortnite, the next someone is snooping on Emby activity. Also consider, in houses with many people living there using WiFi, there will be all sorts of sketchy mobile apps and computer apps being used all the time and who knows a malicious one could spy on your server and steal passwords and data and stuff. Also possible. There are more possibilities. Encryption is a really important tool for modern servers, and especially for a home server that is self-hosted and probably not being managed by someone with a lot of security and knowledge, it is really important imo that Emby handles encryption for them. This is why I propose that Emby needs to make HTTPS the default and should provide some kind of LAN HTTPS out of the box that doesn't require configuration. Something similar to what Caddy does but by default and always. This way, I don't need to worry about getting pwned when I am logging in on my Roku and my roommate is playing COD or Genshin Impact on PC or whatever. I'm sure Emby devs could maybe automate getting a LetsEncrypt cert or something so browsers and the like accept it and using that to secure local traffic, and maybe give users and easy option to use both HTTP and HTTPS on LAN ONLY, even with no external connections. Emby needs better default security imo. Plus, it is not even possible to run Emby with LAN SSL right now, so even with reverse proxy there is a gap where nothing is encrypted which requires advanced firewall knowledge. Please Emby devs add LAN SSL IDEK if I have to pay extra for it thanks!
ebr 16184 Posted September 6, 2024 Posted September 6, 2024 10 hours ago, MoviezMcGee said: should provide some kind of LAN HTTPS out of the box that doesn't require configuration Hi. LAN connections are made by local IP address...
MoviezMcGee 2 Posted September 6, 2024 Author Posted September 6, 2024 3 hours ago, ebr said: Hi. LAN connections are made by local IP address... Right but, they are all insecure connections so if there were a malicious person on the local net they could hack the Emby!
pwhodges 2012 Posted September 6, 2024 Posted September 6, 2024 You're better off working to ensure that malicious code does not get free rein on your network. Being able to snoop Emby locally is a comparatively minor deal in comparison with what malicious code in your network can do elsewhere using standard commands. Paul 2
ebr 16184 Posted September 6, 2024 Posted September 6, 2024 6 hours ago, MoviezMcGee said: Right but, they are all insecure connections so if there were a malicious person on the local net they could hack the Emby! How are you going to get a cert on a local IP address?
pwhodges 2012 Posted September 6, 2024 Posted September 6, 2024 By using Caddy. Caddy can be configured generate a self-signed certificate for an IP address; however, no other program will trust it. Paul
Q-Droid 989 Posted September 7, 2024 Posted September 7, 2024 The Emby is the least of my worries if someone is snooping on my LAN. They can have the Emby, there's nothing of real value there for me. Get distracted with the Emby while I lock down everything else... Like @pwhodges says, anyone using a reverse proxy can create a self-signed cert for the backend/upstream hosts. The frontend will need a trusted cert and for most that means from a real CA. 1
MoviezMcGee 2 Posted September 7, 2024 Author Posted September 7, 2024 @ebr can emby not use CA to sign a local net? that was my idea. Do SSL not work when self signed on a local net? I just like the idea of all the stuff to be encrypted my hacker friend says encryption is really important and HTTP is bad in generally and I think that is true.
MoviezMcGee 2 Posted September 7, 2024 Author Posted September 7, 2024 So I guess a lan HTTPS is not really a possibly doable thing for emby to just do for users? Thats too bad but i guess I can live with that at least emby isn’t that security besides usernames and passwords and movies
MoviezMcGee 2 Posted September 7, 2024 Author Posted September 7, 2024 (edited) 5 hours ago, pwhodges said: By using Caddy. Caddy can be configured generate a self-signed certificate for an IP address; however, no other program will trust it. Paul Wait why don’t Emby does this by default so at least we can choose the HTTPS version and not the HTTP one? Wouldn’t it be technically better to use HTTPS on the LAN even with untrusted certs just for Roku and caddy to do the reverse proxy to the domain? I’d like the option just for peace of mind my hacker friend doesn’t steal my movies or password or whatever. Most of my stuff is secured except Emby but with Emby did at least a self sign HTTPS LAN is all i dont care if Chrome thinks it doesn’t want to trust it that’s my own problem and it doesn’t trust the HTTP anyway so whats the diff except it is more secured? Right now a hacker could literally watch Anime with me and steal my Emby login and see the unsecure HTTP and that its going to my domain! They could steal my logon and watch my movies right?! Edited September 7, 2024 by MoviezMcGee
Luke 42079 Posted September 7, 2024 Posted September 7, 2024 1 hour ago, MoviezMcGee said: Wait why don’t Emby does this by default so at least we can choose the HTTPS version and not the HTTP one? Wouldn’t it be technically better to use HTTPS on the LAN even with untrusted certs just for Roku and caddy to do the reverse proxy to the domain? I’d like the option just for peace of mind my hacker friend doesn’t steal my movies or password or whatever. Most of my stuff is secured except Emby but with Emby did at least a self sign HTTPS LAN is all i dont care if Chrome thinks it doesn’t want to trust it that’s my own problem and it doesn’t trust the HTTP anyway so whats the diff except it is more secured? Right now a hacker could literally watch Anime with me and steal my Emby login and see the unsecure HTTP and that its going to my domain! They could steal my logon and watch my movies right?! Hi, how would they get onto your LAN?
pwhodges 2012 Posted September 7, 2024 Posted September 7, 2024 (edited) 4 hours ago, MoviezMcGee said: can emby not use CA to sign a local net? that was my idea. A CA won't sign a local address, it's in the rules - because all local nets are in the same range of addresses. It would be a bit like putting a lock on your door with the same key as your neighbours and everyone else. Besides, how much of the traffic on your LAN is HTTP anyway? Paul Edited September 7, 2024 by pwhodges
Q-Droid 989 Posted September 7, 2024 Posted September 7, 2024 7 hours ago, MoviezMcGee said: Most of my stuff is secured except Emby but with Emby did at least a self sign HTTPS LAN is all i dont care if Chrome thinks it doesn’t want to trust it that’s my own problem and it doesn’t trust the HTTP anyway so whats the diff except it is more secured? TLS certificates offer encryption and authentication (validation) and self-signed certs are missing the authentication part. Aside from browsers few devices and apps let you bypass the authentication or update the trust store. For the devs to put effort into something that won't work for the vast majority and at the same time breaks one of the basic principles of PKI and security is a waste of time when the few who really want something like this have other tools available. 1
guunter 49 Posted September 7, 2024 Posted September 7, 2024 12 hours ago, MoviezMcGee said: Wait why don’t Emby does this by default so at least we can choose the HTTPS version and not the HTTP one? Wouldn’t it be technically better to use HTTPS on the LAN even with untrusted certs just for Roku and caddy to do the reverse proxy to the domain? I’d like the option just for peace of mind my hacker friend doesn’t steal my movies or password or whatever. Most of my stuff is secured except Emby but with Emby did at least a self sign HTTPS LAN is all i dont care if Chrome thinks it doesn’t want to trust it that’s my own problem and it doesn’t trust the HTTP anyway so whats the diff except it is more secured? Right now a hacker could literally watch Anime with me and steal my Emby login and see the unsecure HTTP and that its going to my domain! They could steal my logon and watch my movies right?! If a hacker gets on your lan https is not going to stop them if they really wanted to get to your Emby server just fyi. There are more steps to securing a network than just https which isn’t really on Emby devs
Lenders57 20 Posted September 7, 2024 Posted September 7, 2024 How do you want to secure your locale IP ? Except by using self signed certificate which is really boring
MoviezMcGee 2 Posted September 7, 2024 Author Posted September 7, 2024 Hmm okay maybe I'm misunderstanding the security. Thanks for the helpful advice everyone!
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now