My E-Series (2012) Samsung TV recently stopped working with plex pass due to the fact, that it only can use TLS 1.1 and the website plex.tv now finally stopped supporting that old protocol.
That means, that i still can use the (unofficial) smarthub plex app with local connections but cannot swith my users because that would require a login with plex.tv (which i obviously have) but cannot use because of this old TLS version.
currently i am trying to compensate this by dns-spoofing my tv and redirecting to another server of mine which does the proxy-pass with old TLS to the real site.
I do not know if this will eventually work but i thought that it would be alot easier if i would adjust the source of the app.
Does anyone (maybe @orca or @panni) still have the source (more or less just the unminified version of āplex.min.jsā) lying around?
i am also running 2.012 , still works with secure connections disabled
but what are you saying? if i should logoff/ logon again after somekind of reset, i wont be able anymore? so i am stuck with the account now logged in?
That depends mainly on your model. I cannot tell which version (F, H etc.) has implemented TLS 1.2 but E-Series (and below) definitely cannot handle anything higher than TLS 1.1
if i should logoff/ logon again after somekind of reset, i wont be able anymore? so i am stuck with the account now logged in?
Thatās exactly what happened to me. i was logged in with the account of my children and wanted to switch to my personal user.
This did not work but i was still logged in with the child-user.
I uninstalled the app, did not find the app in samsung store anymore, sideloaded 2.013 and could not pair the app - only via local mode without users.
so i started digging deeper with wireshark and dnsmasq / tcpdump and discovered the TLS problem.
there are multiple solutions:
the maintainers of plex.tv re-activate TLS1.1 and/or SSLv3 => This would work for all users of old devices out there. I think they wonāt do that, as the protocol is pretty much broken
i get access to the source code the unofficial plex app for smarthub and rewrite the code, so that a server of mine will proxy and upgrade the connection to TLS1.2 or higher. i then could release a new version of the app for everyone => this could be seen as a security issue because it is essentially a man-in-the-middle-attack. Only users which trust me should do this. But as a prerequiste i depend on the ones who hold the source code and are willing to give it to me.
pretty much the same as the previous one, but i would rewrite the minified code which can be hard => same as above, but i donāt need the source
rooting the tv / compiling a new firmware with a custom CA-Certificate which accepts a āfakedā server for plex.tv and does the proxy to the real plex.tv => this is what i am currently working on, as long as i donāt have access to the source code. pretty much nothing a normal user would do as this can and will brick your device if you donāt know what you are doing.
i have the 2 H seriesā¦any idea how i can figure out the TLS version?
you would have to read datasheets ( i doubt that this would be mentioned there ) or use a software router (many options out there) to wireshark the traffic. I would assume, that you might be in luck, as the H-Series is many years younger than my E-Series.
another option would be to try to switch the user on the app itself, if you are willing to take the risk.
i dont think we will get the source of orca version
i still hope that @orca is willing to give the source to me, as i will do the work, maybe @panni has also another copy. the best thing we can do is wait. so i am working on option 4 as that is the quickest way for me. this will not work on H-Series as they need another firmware than my E-Series.
If i am successful with option 4, i might consider implementing option 3 (no benefit for me at all) to help out others. altough i would prefer option 2
Hey @plex_tyrael_metaname_de I tried with webbrowser on my 32" model, I can browse to plex.tv, but there is just a background, no login screen or something elseā¦ So I am also impacted? See screenshot
i succeeded with option 3, so i have a modified the unofficial plex app to talk to another server which then acts as a proxy and upgrades the TLS version on the fly.
i am still checking if nothing out of the ordinary happens here and then will post the details.
@panni and @orca: is it okay for you if i release a new version of the app here for sideloading?
on the user-login screen the icons for users do not load.
technical information: this is because the ārealā plex.tv server responds with a list of icons to download but the path is absolute (i.e. with domain-name). since the tv cannot establish the connection directly to plex.tv the images wonāt load.
this could be fixed, by intercepting the traffic, changing the absolute path to my proxy-server and then it would work.
but i might consider not doing that at all:
it is a non critical issue
fixing it would mean, that i will intercept all traffic and parse it. i want to prevent that as this could be seen as a real MITM-attack to regular users.
i want the app to just be a regular proxy without intercepting any traffic
Ok, I normally stay out of the chat as much as I can , but this is a bit sketchy.
Although I donāt not think you have bad intentions, I must advise anyone to not do this.
What is going to happen: All your Plex traffic will be send to a server that has full access to anything you send to it! It can see your Plex client codes and everything!. Do not do this!
Oh , and I do not grant you the right to distribute any version of the app modified in this way!
If you want to help users, explain them how they can setup a reverse proxy themselves that will handle the upgrade to TLS 1.2. It that way they are in control, and are not compromising their data.
@orca thanks your response it is very much appreciated!
To everyone else: yes, he is right. All of the traffic can be intercepted with the modified version because you would be talking to a different server. I think I made that clear enough. That is one of the main reasons I did not release the app. The missing authorization from orca was another reason (even if you might think it is abandonware). There are multiple other reasons not to release it, or maybe to rebuild it from scratch.
The biggest issue for E/F-Series users is: your system is compromised. TLS 1.1 has have too many bugs and they are not fixable. That is why all servers are shutting down the obsolete protocol. Many Smart-TVs talk back to āhomeā and the Samsungs are no exception. Even if they are old, my E-Series talks to many different sites and I would assume (almost verified!) not just for checking for updates.
So what are the options? Throw away a perfectly usable Smart-TV? Buy an Amazon-Stick? You name it.
I am very short on time but I would take on the development, this is all about trust. Do you trust plex.tv? Do you trust me? You should not trust anyone! (on the internet, as far as that goes ).
I am glad, that @orca replied, and that he reinforced the security concerns! That is a vital component of an open source mindset.
I also like the idea of enabling each and everyone to run their own reverse proxy to do it. At first I thought of running that on the TV itself, but rooting is not for everyone. So I guess @orca is right. Everyone should run a reverse proxy on their own, if they want to use an old Smart-TV. This would be the safest thing to do!
It is not especially hard to setup, nor does it take many resources. But to do it, everyone else must be able to make some minimal changes to the individual apps. I am willing to put up a full āhowtoā and release that to the public. But if we want to improve it even further, a full open source access to the previous app would be helpful. @orca: are you willing to release your source so that the community is able to take on? This would be very much appreciated by all of us!
).