In Media Center 23, MC gained the ability to host the Library Server and MCWS, and all related services like WebGizmo and Panel, over HTTPS.
This feature is disabled by default due to the required certificates, and can be enabled in Options -> Media Network -> Advanced -> Enable SSL
The server is based on the most recent security technologies and supports TLS 1.0 up to TLS 1.2 (older SSLv2 or SSLv3 protocols are not supported, as they are considered insecure).
Certificates
To use SSL/TLS encryption, you need a certificate. Media Center supports generating a self-signed certificate automatically, or lets you provide your own certificate.
Here is a short primer what these differences basically mean to you:
Self-signed certificates have the advantage of being immediately available, however web browsers do not trust them, and you'll get a security warning when connecting to MCWS or Panel with a browser, and because everyone can just create a new self-signed certificate, you have no information about which server you are actually connecting to. They otherwise provide the same secure encryption as "trusted" certificates, however.
Certificates issued by a Certificate Authority have the advantage of creating a chain of trust, if you own a certificate for a certain Domain/Server, the Certificate Authority will have verified in some way or form that you actually own this server, and a chain of trust is established - when you connect to this server, you know that it's this server. Browsers trust these certificates, as long as the Certificate Authority is trust-worthy.
So what kind of certificate do you need for Media Center? Well, that's up to you. Setting up a fully trusted certificate, especially for a library server running from your home, can be a bit complicated, while generating a self-signed certificate happens in a matter of seconds. In my opinion, if your primary goal is to be able to securely communicate with MC so that your username/password and your media cannot be "snooped", even on open WiFi or insecure networks, then a self-signed certificate will do the job.
Status
- 23.0.2: Implemented HTTPS server support
- 23.0.8: HTTPS Client support for Media Center clients is available
- Support in mobile remote apps is planned
Why don't you automatically get certificates from Lets Encrypt?
Some of you interested in HTTPS support have expressed interest in services like Lets Encrypt being integrated directly into MC to try to obtain trusted certificates automatically. We've explored these ideas, but due to the fact that MC most of the time is hosted on home connections, behind a router/firewall and without a permanent DNS name, the effort required to set this up on the user's side takes the value out of such an "automation", and we're more likely to investigate options to allow power users to update the certificate MC uses automatically (ie. in a script), so such an automation could be set up externally.