Just to be clear here, we upload 5 recently added thumbs of content so that we can display them to you next to your library section, PURELY for eye-candy, and PURELY for you. They aren't displayed to anyone else, nor do we store any information about the files in your library. We just store the title of the section (e.g. "Home Movies" and the thumbs so that you can share them or look at how pretty they look).
If you don't wish to publish your server, then you don't have to, but in order to enable the zero-conf magic we need to upload some basic information about your library structure (again, nothing about the media inside of it), just the top-level "this server is available here and these are the sections it has".
I'm sorry you were so put off by the thumbnail uploading, we'll consider allowing disabling it in the future.
Elan,
Thanks for the quick reply. I appreciate how responsive the entire PLEX team is. I know when sharing media there is always a spectrum of users, some that want to share everything, some that prefer to share nothing, and some in-between. Since PLEX is growing in popularity and the entire spectrum of users are going to be covered eventually it makes sense to have some options to control what is shared on myPLEX, rather than the entire server library.
That being said, I am in agreement with previous posts about wanting the ability to set up custom port forwarding and and having an authentication system with passwords across every connection mechanism, LAN, WAN, HTML. Since I know how difficult/expensive development can be, I propose creating a “PRO” version of PLEX Server which can be purchased for something like $10-$20 that has all these features. I would be first in line to pay for peace of mind and full control of who has access to my media.
Once again, thanks for the great work, I can’t imagine using any other media manager than PELX! 
I’d also like to point out that opening up the port would NOT give people access to the web manager 
The actual HTML web app is accessible to anyone, but the API calls it makes in order to do anything useful or access any information about your library require authentication
That's not true. MyPlex and your PMS share a secret -- not a hash used to verify a secret known only to the user, but an actual shared secret known to both your PMS and the MyPlex servers. That secret is *not* your MyPlex password, but it is sufficient to authenticate to your PMS as the owner, and to allow the MyPlex server to generate an arbitrary set of auth tokens that your PMS will accept for read-only access so long as you are signed into MyPlex.
So using MyPlex really does require that you trust the Plex team not to muck with your stuff, or sell you out to advertisers or the MPAA, or get hacked.
To be clear, I don't have any reason to think the Plex team is doing anything nefarious, or that their security is lax, but given the current MyPlex implementation you either have to trust them to do anything you could do via the HTTP interface of the PMS, or not use MyPlex at all.
Well, that or write your own MyPlex server and hijack requests so nothing ever gets to the official MyPlex servers. But that's a big job even for savvy users, given the hard-coded URLs, SSL, etc. If isolation from the central servers is worth significant effort to you, and you've got experience with SSL, DNS, HTTP, and PHP, let me know and I'll hook you up with some relevant code.
I'd certainly pay extra for better access controls, or for the ability to run my own MyPlex server (where I could presumably hack in whatever access controls I like). I'd even pay quite a bit more than $20.
But as usual I'm probably not representative of a very large community.
When I opened my port and went to my_username.dyndns.org:32400/manage it pointed me to the PLEX media manager html site and I could do anything I wanted. Nothing popped up and asked me to enter a password to authenticate? How could you be asked to authenticate if you dont even have the ability to set a password in the PLEX media server itself? Maybe I am missing something?
The PMS checks your source IP address and determine if you are "local" or "remote". Local users have complete access; remote users must authenticate. You don't have any control over what is considered local/remote, but if your PMS is in an RFC1918 address space users with routable source IP address will not be granted access without authentication.
Also note that you can set an auth token via MyPlex (not entirely in your control, but easy to simulate if that's your goal), or by installing the PMS 0.93 server, setting a password, and then using the 0.95 or later PMS without deleting your configuration (i.e. 0.95 will respect passwords set in previous versions).
Basically, you were already authenticated in that browser and it was cached. The PMS saw you were authenticated and "let you through". (Also keep in mind that if you follow the "Plex Media Manager" link from the myPlex website, you're authenticating there, too.) Try visiting the same straight URL (the "my_username.dyndns.org:32400/manage" one) via a different browser with which you've never previously authenticated and you won't be able to do anything in the Media Manager. Likewise, I believe you could wipe all your cookies on a previously-authenticated browser and see the same thing.
Good Info. So if I “trick” PMS 0.95 into using a token (password) I setup on PMS 0.93 I will be asked to enter a password next time I try to access my PMS remotely? Then I can use the password field in the iOS apps and that should just work? No MyPlex involvement?
The current version of iOS/Android clients do not support password authentication. Previous versions did support such auth, but it all went away when MyPlex was released.
I can’t speak for Android as I don’t have a device to test with, but the iOS app still supports password authentication if you manually add a connection.
I stand corrected. I thought that had gone away but you're right, it's still there. I've still got a manual connection using it.
Any news on a pro version or just the normal version with a username/password implementation? Really sucks that we are forced to use a service that are so insecure as myplex.
What aspects of myPlex strike you as insecure?
Hi Elan
Well to be honest all of it. I have absolutely no control over what Plex have access to. The code is close source so there is no way for me to see what you do. I have no intention on sharing videos of my family that I can’t be sure only I have access to.
With the currently implementation I only have one option, that is use VPN when I want to access my server from outside the network. This is really not a very good solution, when not all platforms support VPN. It would be much easier if I could access the server with a user/password of my choice.
I really don’t see the point of MyPlex, if you as a user have a server running Plex, there is no reason why you need a central server to store the server information.
Besides this Plex is a wonderful product and I already bought the Windows Phone, iPhone and Windows 8 version. So I wouldn’t have a problem paying for a version that support user/password.
Dear bugger, we’ve chosen to go down a path which was the most convenient for the vast majority of our users. I understand some people don’t trust cloud services, don’t use gmail, never email photos (who knows which machines they pass through or are stored on?), and use VPNs for everything. I respect that, but it’s hard for us to do work to accomodate that sort of workflow. That’s not to say that we won’t continue to enhance security over time and provide enhanced permission controls, but we decided to stop supporting direct user/pass auth into servers because (a) it was insecure and ** it was extra work to provide alternate mechanisms on all our clients and © the choices were confusing users and (d) the user/pass choice was hard to set up without myPlex providing private IP.
Dear bugger, we've chosen to go down a path which was the most convenient for the vast majority of our users. I understand some people don't trust cloud services, don't use gmail, never email photos (who knows which machines they pass through or are stored on?), and use VPNs for everything. I respect that, but it's hard for us to do work to accomodate that sort of workflow. That's not to say that we won't continue to enhance security over time and provide enhanced permission controls, but we decided to stop supporting direct user/pass auth into servers because (a) it was insecure and ** it was extra work to provide alternate mechanisms on all our clients and (c) the choices were confusing users and (d) the user/pass choice was hard to set up without myPlex providing private IP.
I feel I have to ask a simple question here, since it (as far as I can see) hasn't been answered.
Can the myPlex servers generate a security token for my server that the server will accept without my password? What I'm asking here is how is the server sure that the request from myPlex is from me or the ones I've shared my content with.
Or, if Plex got a court order to provide access to my server, could they do it?
Dear bugger, we've chosen to go down a path which was the most convenient for the vast majority of our users. I understand some people don't trust cloud services, don't use gmail, never email photos (who knows which machines they pass through or are stored on?), and use VPNs for everything. I respect that, but it's hard for us to do work to accomodate that sort of workflow. That's not to say that we won't continue to enhance security over time and provide enhanced permission controls, but we decided to stop supporting direct user/pass auth into servers because (a) it was insecure and ** it was extra work to provide alternate mechanisms on all our clients and (c) the choices were confusing users and (d) the user/pass choice was hard to set up without myPlex providing private IP.
This is really a shame. Authentication already existed in Plex, and I personally don't see why it couldn't have been hidden under advanced settings. The only two effective reasons I see are the security was poor if not properly wrapped in SSL (which would be a one time fix), or the need to push myPlex to drive subscriptions to monetize the software. I'm also not condemning the later point, I'm just disappointed I can't use Plex the way I would like going forward.
As a follow up question, if I do not use the queue, but I watch half of a video, where is the metadata and last watched point stored? Server, Client, or MyPlex?
Thanks.
I feel I have to ask a simple question here, since it (as far as I can see) hasn't been answered.
Can the myPlex servers generate a security token for my server that the server will accept without my password? What I'm asking here is how is the server sure that the request from myPlex is from me or the ones I've shared my content with.
Or, if Plex got a court order to provide access to my server, could they do it?
This is really the same question I had which prompted the googling that led to finding this thread. I'm slightly reassured due to the fact that Plex staff has responded at all, rather than simply deleting the thread, but I'm not sure this point has been driven home. The only thing standing between me and purchasing a lifetime subscription and using the service is this question, as I'd really like the convenience of using my media libraries from mobile devices without endless VPN configuration nightmares.
In this day and age, it's not at all uncommon to hear about companies suddenly deciding that they want (advertising) or have to (legal) divulge information. So, what we really need to ask is..If Plex recieves a subpoena to turn over data about a particular user, what would be in it?
I will say thank you to the staff and users for this forum. I wont lie I didn't understand half of it, but I think I have a better understanding of how this works.
