Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[hoyt]

Am I correct in saying that there is no way to run the MC server under https today?  Any plans to allow us to run the MCWS under https?  As I start to do more with it, I don't like the fact that it authenticates over http.  I suppose I could try to wrap my server with a local SSL server that would be used only for /Authentication and then respond back with the token, but that would be a bit of a pain to maintain and only cover the apps I wrote on top.  I'd rather move the whole media server to a more secure communication protocol.

Thanks!

[mwillems]

This has been discussed a few times in the past.  There is currently no way to use https with MCWS, and my understanding is that it's not on the near term roadmap.  If you want secure remote access to your own server at the moment, the best way to do it is to set up a VPN on your home network; that doesn't answer the question if you're making apps for other people, obviously, but for your own use that's far and away the best solution. 

I log into my VPN and as far as Gizmo or JRemote are concerned, they're on my LAN and everything works fine.  Performance is pretty good (obviously hardware dependent, but in my case not distinguishable from a direct connection).

[hoyt]

There is currently no way to use https with MCWS, and my understanding is that it's not on the near term roadmap.

Too bad, but understandable.  I'm sure it's not an easy change to ship a more secure setup, but something that should be considered.  Maybe people don't realize what a non-SSL connection means.

I think setting up a VPN for what I want is too much of a pain to deal with.  I have an SSL server on my network, so I think I may build an authorization webservice that can then call my MC server within the LAN to get the token.  Then I can respond back from that with the token for the service to use over http.  So instead of calling mc-server/MCWS/v1/Authorize, I'd call SSL-server/Custom_Authorize_Service.  That's not ideal, but it's better than sending the password through http.  I could then even setup additional users via my own SSL service that translates into the single username/ password capability in MC.  Not sure what that gets me right now, but something I could at least have within my own control.

[bob]

If we implemented https with MCWS you'd need a real certificate from a certificate authority and your own domain name for the internet reader in MC to be able to connect to the MC server without doing some futzing around with the internet security in windows. There are places you can get free ones for personal use for 1 year terms but they don't make it very user friendly from what I've seen so far...

[hoyt]

If we implemented https with MCWS you'd need a real certificate from a certificate authority and your own domain name for the internet reader in MC to be able to connect to the MC server without doing some futzing around with the internet security in windows. There are places you can get free ones for personal use for 1 year terms but they don't make it very user friendly from what I've seen so far...

Correct, but I'd like that option because I'm willing to do that and don't want my passwords transferred over the web in plain text.  Sounds like there are others here with the same thoughts.

I've found https://www.startssl.com/ to be fairly simple to direct other people to (their web support for a free product is fantastic).  The free ones expire in a year, but if you want an SSL connection, it's not asking that much to pay for it.  It's only $60 for a two year certificate.

[glynor]

If we implemented https with MCWS you'd need a real certificate from a certificate authority and your own domain name for the internet reader in MC to be able to connect to the MC server without doing some futzing around with the internet security in windows. There are places you can get free ones for personal use for 1 year terms but they don't make it very user friendly from what I've seen so far...

Why? You could just generate a self-signed cert, like every router on the planet uses for its web interface.

I wouldn't think you'd even offer the option to upload your own cert unless you really, really want to expose that to the end user. A self signed cert is absolutely fine for confidentiality (the encryption works fine) it just doesn't provide identity without using one signed by a CA.

Identity for MCWS isn't extremely important (you'd notice if you connected to someone else's server, after all), but privacy could be, because with MCWS as it is, if you poke a hole through your router, any malicious actor on the same network as your client could log in and delete your entire Library.

There is a way to reasonably secure it now (while still allowing JRemote/Gizmo to easily connect without VPN) but it is a huge pain, requiring VMs and other nonsense, and you give up the ability to update play counts on the server with your mobile devices.

[glynor]

PS. Nerd thing that can be ignored: We're discussing TLS, not SSL. SSL is horibly broken.

[Hendrik]

Why? You could just generate a self-signed cert, like every router on the planet uses for its web interface

Its not about our dislike for self-signed certs, but uncertainty if we can make all our clients accept untrusted certs without big annoyances. But we're still talking about that topic.

[glynor]

Because of the OS provided TLS client libraries? I don't know about Linux, but this should work on Win, iOS, and OSX. They'll show the user an accept prompt with the fingerprint the first time.

But, if it is an issue, you could just include a client library yourself, right? There are a bunch of implementations out there...

[glynor]

It works with our Polycom Resource Manager (which uses a self-signed cert), even Android copies of RealPresence Mobile, at work. Shows an accept prompt on first connect and then works fine.

I'm, obviously, not sure if they include their own TLS client libraries on any or all of those platforms. Though I bet they use the OS-provided ones on iOS at least, and probably on the other OSes (the accept-this-cert dialogs are all OS-skinned on the different platforms, and the clients are all custom skinned). They don't have a Linux client, but I use it on all the other platforms.

Anyway, I've certainly never tried it, but there must be a way to do it with a client application, especially when you control the server and the client code.