oop 0 Posted January 3, 2021 Posted January 3, 2021 So this has been bugging me for a while, when you click sign in on emby.media website it redirects you to the following url: http://app.emby.media. Is there any reason for this not to be https://app.emby.media? Why not just enforce SSL like on the primary domain? Thanks.
Happy2Play 9780 Posted January 3, 2021 Posted January 3, 2021 Not everyone has a ssl on their server so you can not force this. But emby.media is the website not app.emby.media and does not redirect to that for me.
oop 0 Posted January 9, 2021 Author Posted January 9, 2021 Sorry for the delayed reply. I understand that not everyone has their server protected with SSL but I believe this is not relevant for my query. For reference I've included some screenshots below of the flow I'm talking about. Spoiler As you can see at the moment of taking these screenshots I have not yet logged in and Emby is as of this point unaware of who I am and where my server is. This same webpage also works fine using SSL, as I've manually corrected it many times. At this point you log in to Emby Connect the user information of which is not stored on my server but presumably on an Emby Connect database somewhere. Some more screens: Spoiler At this point I'm logged into Emby Connect and I get to pick a server, out of a possible list of servers which in my case is just the one. But assuming you can have more than a single one added at this point I'm still not on my server but still in an Emby Connect environment. Next when I select my server I get the popup that I will be redirected to my server which after confirming redirects me to my own server on my own domain. In my case this is one secured by a SSL certificate but you can very well redirect directly to an IP and a port without a certificate as far as I'm aware. Which begs the question, why could this entire process not be done over a SSL protected website? At this point I feel I should add that this is not intended as an attack and I do not wish for it to come across as such. I very much appreciate Emby as a service but I feel there might room for improvement here, or maybe at the very least a discussion. I hope the above has clarified my query.
Luke 42077 Posted January 9, 2021 Posted January 9, 2021 It's relevant because if you don't have ssl on your server then it will fail to connect and people will just come in here and report that the app isn't working. When we get to the point where we know that all emby servers have ssl, then we can make the online web app https only. In the meantime you can just use https://app.emby.media
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now