My daughter’s remote Samsung client app wasn’t able to play anything. In the server logs, it indicated the client app wasn’t able to send the server a profile. Changing the client app setting, Allow insecure connections to “always” fixed the problem and everything works fine. BUT, have I compromised my server’s security? Has she compromised her client’s security? Is it a case (as I suspect) of the server connection still being secure, just that the client app no longer checks for a secure connection?
IMO, secure communication between server and clients is mainly a matter of privacy, not so much of security.
Security or Privacy, could you please explain the difference? Is the privacy compromised?
If the connection between the server and a remote client is not encrypted, then an eavesdropper could gain information.
Like
- the fact that Plex is used
- the address of the server
- what content is watched
Stuff like that.
That is what I consider privacy related.
Security would be a means to break into your server or the client device. Which is not very likely, unless the attacker knows about a serious software flaw in Plex. Currentlöy there is no such flaw known.
However, it is of course better if no information about the type of communication and the contents thereof could be gained by an outsider.
Thanks. So Is the privacy or security compromised in either the server or client by setting the client setting allow insecure connections to “always”. Is it a case (as I suspect) of the server connection still being secure, just that the client app no longer checks for a secure connection?
Or does it mean the connection is no longer encrypted for instance?
I would say that as the setting refers to “insecure” connections they are talking about security and not privacy.
Does this support article from Plex help explain things at all? (There’s a link in there to an explainer of how Plex is providing secure connections; I’d recommend veering off to that page as well.)
https://support.plex.tv/articles/206225077-how-to-use-secure-server-connections/
When using secure connections, client connections to your server are served over HTTPS and are thus encrypted. When using insecure connections, client connections to your server are service over HTTP and are thus in plain-text.
The upshot of this is when insecure connections are being used (HTTP, plain-text), certain information can be leaked (as Otto said above). My personal suggestion would be to strive to use secure connections whenever possible to prevent this leakage. It may be time for your daughter to invest in a cheap set-top-box (the Walmart Onn Android TV boxes come to mind) instead of using the TV’s native client.
Yes, I’ve read all of those. No use at all, in fact, it doesn’t even mention the client app setting, “allow insecure connections” or its consequences. So you are saying only text as in the form of a client device profile is affected by this setting? And not the transport stream which will remain encrypted? That my server is not affected by the setting. If it’s only affecting the sending and receiving of device information then there is nothing to be concerned about, it’s hardly even a privacy matter. I do hope you are right.
I would point out that my server is set to use secure connections but I am asking about the client setting.
Do you have any evidence to back your assertion that changing the client setting overrides server settings?
I’ll defer back to Otto on this, he is far more versed in the inner workings.
However, my understanding is that the server and client settings work hand in hand. That is, if you have the server setting set to “Preferred” and the client set to “Always,” then it can fall back to insecure connections. However, if you have the server set to “Required,” then it cannot fall back.
So, what is your server’s “Secure connections” set to? Preferred or Required?
And no, no evidence. Only past experience. However, I never asserted that the client setting overrides the server setting. Or at least that wasn’t my intent. I was speaking more generally about secure connections as a whole and the implications of not using them.
It’s set to “preferred” it does say though “When set to “Required”, some unencrypted connections (originating from the Media Server computer) will still be allowed” so I don’t know where you get “it cannot fall back” from. Maybe you could expand more on your past experience with this? More and more I think I’m correct in saying the the client app setting, “allow insecure connections - Always” only tells the client app not to look for a secure connection and the connection remains secure.
I would also point out that the setting is allow insecure connections and not “don’t use insecure connections”
The key bit is “originating from the Media Server computer.” Those are internal connections from the server to itself or its components and so are not required to be secure (they are internal). An example of this would be the transcoder process communicating with the server process (they run as separate processes).
See the bit in green here:
This is why I asserted that the server setting takes precedence. If it is set to “Required,” no client can connect insecurely.
(Note, there are some exceptions which likely don’t apply in most cases. Specifically flinging/casting content and manual connections, which do not support HTTPS. You can’t fling to a device across the Internet from Plex, and most folks don’t use manual connections across the Internet but I won’t say never. But, as they say, it’s the exceptions which make the rule.)
I don’t think I used that terminology, but if I did and it confused things, I apologize.
Finally, I primarily wanted to bring some understanding to “secure” vs. “insecure” connections. That is, secure connections use encrypted HTTPS and insecure connections use plaintext HTTP. This is between the client and the server. So if the client is somewhere remote from you, connecting over the Internet, then someone interested in that traffic could potentially collect some information if you’re using an HTTP connection. How much information and how useful it would be I won’t attempt to comment on.
I don’t think I succeeded in doing anything other than confusing things, and for that I apologize. I’m going to go ahead and bow out of this thread and let @OttoKerner correct me if I got things wrong.
Yeah, I don’t think you understand that I’m not talking about server settings, nor that I do understand what a secure connection is and why it’s used. Which is why I asked about the CLIENT SETTING
1 Like
I can confirm that the client app setting, “allow insecure connections - Always” does NOT cause the connection to be insecure, if they need this setting they will already be insecure regardless of the setting whatever it is. Not selecting “always” will not make the connection secure, but selecting it will allow the client to work. Client apps that need this setting are already insecure because the “DST Root CA X3” cross-signature on all their certificates are useless because Let’s Encrypt now relies on their own “ISRG Root X1” signature for all certificates and this can also be the case with other stand-alone devices besides TVs as well. I can also confirm that the connections between these devices and the streaming server will be unencrypted over the internet.
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.
