"+1" posts are not regarded as votes, and they just spam up the forum. Please click "Like this" on message #1 of the thread to record a vote.
https://forums.plex.tv/topic/46128-rules-for-this-forum-inc-how-to-vote/
OR!!!! an even better idea is that the plex developers actually do something beneficial and INCLUDE SECURITY! now wouldn't that be a crazy idea? then there would be no more +1 posts. Seems pretty much that Plex is just keep leading everyone on with no near sight of security.
So, from what it looks like, the security holes are here to stay for a while. It's late here, but I haven't seen any Plex devs. pitching in a rough outline fix for these issues, not even an acknowledgement or thought-bubble. I would agree with some of you that the SSL feature may be a compatibility issue for all devices that use Plex, which would lead the devs. to hold off until a fix for it all is found. However, I don't think that makes a whole lot of sense with how bug fixes for the most minor things come out way before this; before any honest public statement has been made about it (but I could be not looking in the right places).
Even if SSL isn't compatible with all devices and even if the devs. want to wait for the end-all-be-all, I'd really appreciate an outline. (A lot of us probably would.) Security may not be important to all, but it isn't paranoia. It's very parallel to any one person not wanting/having to disclose even a public conversation (e.g. whispering/foreign language). Yeah, they're doing it out in the open so people know they're talking, but screw other people being nosy, especially so-called best-interest corporations and gov. agencies. And, what about those who go out of their way to be malicious on the Internet? Are the Plex devs. telling us (without actually telling us) that we just have to deal with it even though viable protections exist? Protections many other cross-platform services have seemed to figure out rather well.
In addition, with some comments I've read about not allowing Managed Users to download or sync, it feels as though the Plex team is working with the companies/govs. trying to prevent certain actions (legal or not) and give way for other entities to take a big ol' peek at what you're up to. And, as others have stated, other applications allow downloading/sharing/syncing without any legal issues to speak of. So, what gives? If there's a problem Plex devs., what's wrong with just telling us? Focusing effort towards things like "Sonic fingerprinting" when a large group of your paid user-base is asking for security.
But, you know, maybe I'm wrong (and I very well could be), but it seems a tad bit fishy to be promoting all of these new features, raising prices, and overall not communicating with users (especially paid) about what they want in the application. Is that not how to keep a user-base? Ah, yes, I understand priories. The original start of Plex was estranged because of the push/pull for different ideas and trends, but that's not an excuse to ignore the user-base. Your user-base will resent you, despite how many fancy buttons are thrown out there.
And finally, if the Plex team wants to be taken seriously they should actually talk to us without having "Dedicated Members" backing them up with hearsay speculation. We can talk all day long, but in reality the Plex team needs to learn better PR skills with what's going on. It's really not that hard.
Plex & Plex.tv/web/app are both insanely insecure. It's insanely upsetting and, honestly, disgraceful.
As mentioned in another thread, they are integrating a fix for this:
There is also this quote:
A fix is almost here :)
Having a workaround for users who can 'use openssl in a terminal' is infinitely better than just not having a fix what-so-ever. That's like a Doctor saying "If I had saved the patient they would have been unable to use their left pinkie, so I left her to die".
EDIT:- Sorry for the double post, can't work out how to delete this post.
As mentioned in another thread, they are integrating a fix for this:
There is also this quote:
A fix is almost here :)
Not to be a sour puss, but you can only hear... "it's almost here" / "soon" for so many months before you just stop believing it...
Not to be a sour puss, but you can only hear... "it's almost here" / "soon" for so many months before you just stop believing it...
True true ... they make it seem like they are reinventing the wheel! just poor lack of customer service/support in my opinion which seems to always have been lacking.
Reminds me of Boxee Box and Netflix app. Soon was a year or two.
Not to be a sour puss, but you can only hear... "it's almost here" / "soon" for so many months before you just stop believing it...
So - looks like there is still no security additions or fixes in the new PMS build. 
Sent from my iPad using Tapatalk
Not to be a sour puss, but you can only hear... "it's almost here" / "soon" for so many months before you just stop believing it...
Have a look at emby (previous media browser) they are actually implementing security features and others that users want.
Have a look at emby (previous media browser) they are actually implementing security features and others that users want.
Please report back what your impressions were. My family is getting fed up with the current VPN solution, and I am seriously considering a migration. I am fed up banging my head into a brick wall without any visible progress being made or any indication of progress.
The mantra "We don't disclose on any future releases" is totally unacceptable for me, especially since that means I end up in some waiting cycle for security updates for over a year now without any indication of an delivery date. I really feel I am being stalled here. Emby probably has its own problems, but at least it doesn't end in the black hole called the development team.
Jaap
I love the fact that you can do SSL over Emby (and force it to external clients). The only thing not functioning properly right now is "Emby Connect" which is supposed to make it work like plex.tv/web basically.
Other than that, everything functions as expected. Also, it's open source - which is a very good reason to switch.
I'm already a PlexPass lifetime member, but I've been looking at threads about Plex security (and specifically SSL to/from clients) for more than a year now - and it's still not being addressed by anyone.
Plex public relations and customer support is (sadly) appalling. I don't want it to be - it makes me look bad because I've been advocating Plex to friends and family for a couple of years now. I know at least 5 people who are PlexPass subscribers because I told them it'd be worth it. I'm beginning to regret that.
I know the feeling.... :(Plex public relations and customer support is (sadly) appalling. I don't want it to be - it makes me look bad because I've been advocating Plex to friends and family for a couple of years now. I know at least 5 people who are PlexPass subscribers because I told them it'd be worth it. I'm beginning to regret that.
Can someone explain to me how Emby is handling security? I haven't tried the program to see what their take is. My main questions are:
Does the user have to install things or does it just work?
Is it secure to all their current clients or only certain ones?
Looks like they've just implemented a self-signed cert that's auto generated. Certainly not anything we can't already do with Plex, keeping in mind it breaks Emby Connect, just like it would break plex web. Better than nothing, but I hope the Plex solution is going to be better.
-edit-
You can also upload your own pfx for Emby as well.
Looks like they've just implemented a self-signed cert that's auto generated. Certainly not anything we can't already do with Plex, keeping in mind it breaks Emby Connect, just like it would break plex web. Better than nothing, but I hope the Plex solution is going to be better.
-edit-
You can also upload your own pfx for Emby as well.
How exactly do you do that with Plex?
Yes it does break Emby Connect but this may not be an issue. First you don’t have to use a self-signed cert but can purchase a real cert.
Secondly you don’t need to use “Connect” the same way you do with Plex if you want to share.
Emby has full user accounts/passwords that are setup and managed directly on the Server. So users can log directly into the server without the need to use a 3rd party (connect).
Or you can setup a “connect” account and associate it with the server. This makes it easy to switch between multiple servers like you can with Plex.
I really like the Emby way of doing things much better as it more closely follows a “true” login/management system. It’s also much easier to integrate into an established website or to build on top of it and use the same logins for the rest of the site. It also allows multiple “admin” accounts and allows you to hide libs from yourself in “normal” view while still being able to manage them from the “backend admin”.
Emby can use ports 80 and 443 (configurable) and allows you to configure how they are used. For example 80 can be used from the local intranet while anything external requires 443/ssl. So you can run “unsecured” locally (including DLNA) while keeping external connections security. A pretty good compromise.
The problem with cert for Plex is that they have a lot more clients and these all handle things/security differently which is part of the reason the “security fixes” have been long coming to Plex. With Emby is easy for now as they only have a couple of clients to worry about.
Pluses and Minuses for each way of doing it.
Carlo
How exactly do you do that with Plex?
You can't do it with Plex directly, but with an Nginx or Apache node infront of it that redirects traffic to Plex.
Which also has been suggested several times here....Looks like they've just implemented a self-signed cert that's auto generated. Certainly not anything we can't already do with Plex,
