Call me cynical, but 
Okay, Iāll give you that, but there are plenty of other CAs out there with APIs that allow you to create your own certs. DigiCert, for example.
1 Like
millions of domains (48 million at last check) use them (including mine up until recently), soā¦
Yes, I use them too, on a number of servers. LE is a powerful, open and very cheap platform to use. They really are an amazing organisation and I applaud them for what theyāre doing. But are they the right choice for this use case? I donāt think so.
Have a read of these and it may convince you (because I get the feeling Iām not going to 
):
My main argument here is that I think LG would be more likely to push out a new root certificate to their devices if it was for a commercial CA that more businesses depended on. You can bet that when one of DigiCertās root certs next expires the new one will be pushed out fairly quickly. I keep coming back to DigiCert and do yo know why? They issue root certs for Netflix and Amazon Prime. Youāre not going to see LG hanging them out to dryā¦
2 Likes
Thank you for the clarification. I wish there was an option to turn this off.
I found no other way, so in the meantime I updated the root certs on my tv. It works now perfectly.
Still wishing for an official solutionā¦
Thatās a big and legitimate āother thanā¦ā!
I imagine that CA policy and operational capability also matter. Plex needs slightly unusual certificates issued quickly to arbitrary devices. Thereās a lot more scrutiny and diligence of issuance policies and practices these days.
The previous DigiCert solution was interesting; there was a Plex-specific intermediate CA Plex Devices High Assurance CA2. Iām not sure who actually operated and issued certificates from it. Does anybody know?
Thatās a big deal. If I was DigiCert, I would charge a lot for that service. If I was Plex, I wouldnāt want the operational and security and compliance burden.
(Which makes Letās Encrypt the perfect partner.)
I suspect thereās no mechanism for updating only the root CA store in most of those devices, and it probably requires a complete firmware load. So it might not happen, ever.
1 Like
While not directly a solution it might be worth sending a complaint to your local consumer authority. By tying the root certificates to new OS releases LG and Samsung are making their TVās obsolote. Greatly contributing to an explosion in e-waste. Many countries are actively trying to reduce such things these days and they may be able to apply pressure on the big brands. It might not help us right now, but in a few years it could cause some legislation to come along that forces these things to be updated regardless if the product itself is past EOL.
2 Likes
Iām still using an unsecured connection for the LG device since but I still donāt know exactly whatās the possible (realistic) risk of using it like that. Is it worth enough to put everything in in a VPN?
If your server is not available externally itās not dangerous at all. The issue is people like me who use my TV and also use my phone and laptop while travelling. Because of the settings on the server side of Plex not filtering internal and external connections at all I am forced to allow unsecure connections from the internet in order to enable them locally. Because Plex donāt differentiate between connection requirements for different clients a VLAN wonāt help you.
Yes, my server is and was available externally. The LG device is the TV of my parents, itās not part of my local network. The server accepted encrypted connections only as long as I changed it to get the LG running again.
I could create a VPN connection between mine and my parents network. Then all connections will be encrypted by VPN and the server thinks this is a local device. So I donāt have to make Plex available outside my own network anymore. But it will make things more complex and error-prone. Is it worth? What is the attack vector of a plain connection to Plex? Passwords could be snipped but every new device has to confirm a unique pin code at plex.tv/link.
I have the same issue on two LG TVās :
28TL510S SW Ver 06.00.10, Manufacture date Feb 2020
32LM6300 SW Ver 05.00.03 Manufacture date Sept 2020
I also have a 49UJ630V 06.00.20 and this is older than both of the others and it us still working fine!!!
I have tried the allow insecure connections but that does not work for some reason.
I would like to use plex but at this rate I may have to try alternative servers like EM8Yā¦
I also have Xplay client for LG and have had to use this and it works fine! But The interface is not a polished as plex, but it works!
Any ideas???
Last time I tried EM8Y it didnāt worked very well on LG. But I tried it long time before I got the Plex Pass so maybe itās working better now.
I even donāt know there is an alternative player for LG. I will give it a try. But statements like
Try to disable secure connections on Plex Media Server (PMS) in case you have problems connectivity to PMS.
donāt make me think this will work with secure connections. Is Xplay using a secure connection at you setup? Because nobody could answer me what is the real life attack vector of plain connection to Plex Iām using it as today and it still works.
Did you change your Plex server setting to support unsecure connections too?
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.
