Tailscale controls the routing, thus the traffic. They control which keys get trusted. They most of the time distribute and develop the software.

It would be quite easy for them to start snooping on traffic, while on the internet anything basically is additional encrypted, that would not apply so broadly to the traffic that get sent via tailscale especially the self hosted crowd, a lot of that traffic would be http and unencrypted.

Just as much as Tailscale is self hosting.

So not at all?

Tailscale is just a Service. Not sure how you could even think calling Tailscale self hosting.

I think it’s not congruent with wanting to improve jellyfin if your reflex is immediately to say that nothing is truly secure.

At no point in life I said that.

Jellyfin has proven with the latest RCEs that they can handle relevant critical security vulnabilities.

As always, jellyfin does not have that much relevant contributers, and a lot of work has been done in recent time. It is very easy to lean back and say what they should or should not have been doing.

Breaking Clients would make the project not usable for many ppl or at least decrease the usability.

As i have already said, getting uodatea on those closed eco systems can be a nightmare.

I am saying all this because it’s more blown up than it is. I have said in basically every single post that it needs to be fixed right? So pls do not suggest that I do not want it to get better.

But, this link to the collection of vulnerabilities gets posted on every argument without any explanation and or classification. Which is also not ok.

I don’t think downplaying them is the way to go though, Some of these issues have been in existence since 2019.

I am not downplaying them. And yes they should get fixed. But this attack needs access to an account on your server.

so as long as you can guess the full file path,

Yes, also should be fixed, probably by some sort of salt and authentication, but can be easily prevented by adding a random character in the base/root path to the media. Especially with docker or similar, thats an 1 min fix.

And even if not? What then? Why would someone want to attack that?

Those are not good, no. But no deal breakers and actually more blown up then downplayed imho.

Just because you do know any or that there are no know to the public does not mean it is secure. Do we know if the plex communication with your server is secure? No one cares, because no one is looking into it.

The main issue, is that ita not that simple to get new versions on the closed eco systems on many smart TV, especially when you are just a single dev and no company who can throw money on the problem.

As I said, the issue is not that big, and mainly an excuse for most ppl. The API break will come, hopefully sooner than later, but it needs to be carefully designed, to prevent issues in the future.

But again, the current issue is not that much of a problem. I do not see the benefit of anyone to probe my server if i have certain media files on there. And i do not use the default paths.

I am saying that the mentioned security vulnerbility is not as big as ppm make it to be. The bad thing right now is that IF you know the exact path of a media item you can probe if its there. As soon as you varg your path by just single character from the default/guides that are out there, this is basically no longer practical.

Is this ok? No. But to fix this, every Client would be broken.

The current API dies not follow modern security practices since some are not or partially autheticated. Thats basically inherited by Emby.

That is the current main issue and needs to be dealt with.

I assume that after the last EFcore (database handling) this gets addressed since now the API can be designed around the standerized databade calls.

Also overseer is also not saying “pls host on the public internet”. If you do so, you are on your own. Why jellyfin gets treaded different? I do not know.

EDIT: I guess at least some ppl, use this as a comfortable excuse to stay on Plex. “But it is insecure… so i can not set it up”

No, it is impossible to certify security, it’s only possible to certify insecurity.

They could only say something like “it’s designed to run exposed” or something like it.

You can pay for the audit if you like and still there would be no certainty.

I assume, before they say something like that they want a completely new API. But this would break every single client.

The question is, are the vulnerabilities actually a risk for your setup?

Should they be fixed? Absolutely.

But do they affect you? For me its basically a no.

A vulnability can be a nothing burger or critical issue that needa to be fixed. But it depends.

i feel like one issue is a bit of a downplay here,

But how does it matter if the issue is closed or open? It is linked and stated early and tracked.

That issues get merged and closed is quite normal when there arw duplicates.

Also, i think the oppoaite. The issues get ‘upplayed’. Which one of these are you actually worried about? And how does they affrct you?

My second complaint is the security design. They’ve had open issues about unauthenticated endpoints for three or four years now. And whenever the issue gets so old that it starts to look bad, they refactor the issue into a newer issue abd bury it in the sand.

You mean that one issue that is still open and linked in the “security and quality” tab on github?

And the memory leaks get closed one after another? Dont they? Just because there are still issues does not mean it gets improved upon.

Media matching is no issue if you follow the naming sheme.

I am not upset at all, not sure why you think that.

Jellyfin will and connot be the replacement you wish it to be. Exposing something to the Internet is not a solution for the normal person. Heartbeat, Log4shell etc. etc. all of those are the reason why, not necessarily the service you are hosting by itself.

Especially in an age where tailscale is available to install on every major smart TV or other devices i do not get why you even want to recommend ppl to expose it.

No, not really. But what should i expect from someone who states as an ‘objective opinion’ “I do not like the programming language so the project is bad”

If i had to guess, since you are jumping on the memory leaks, you got an issue, reported it and did not get treatet like they fix it with a priority.

You keep jumping on “They had an RCE so the security must be completely broken”

Once? No jellyfin has had about 4 major RCE issues since the fork. At least 4 that I’m aware of. Blaming it on the previous code only makes sense if the split is recent. They have had time to completely rewrite if they really want.

It absolutely makes sense, otherwise they would have had to throw everything away.

The EFcore refacotring was like 6 years in the making.

And all that from just a few single ppl. Look at the ckntributer list, and how many contribution. Not many active devs are working on jellyfin on their free time. The problems that jellyfin has, is not from a lack of trying but a from a lack of finger and arms.

And you need to take it like it is.

But for complete other reasons than RCEs or similar.

As an FOSS project that inherited lots of shitty code this is basically the best thing they could do.

Not sure why, but you get specific about once RCE but not about other problems and keep vague about them. Is it the lack of understanding or disingenuousness?

It has had a pretty high number of RCE exploits including one recently the architecture of the web service is just very poor and leads to a lot of basic problems.

So they had an RCE that got fixed therefore the software is bad and insecure. Therefore every OS and basically any enterprise software that was ever used is insecure.

Got it.

And Plex doesn’t require any. It’s okay to accept that one product can be more polished than the other, and Plex has a lot of stuff that “just works”

And it is ok to accept that Plex is getting worse and worse. Only reason why ppl use it these days is because they still have an old lifetime pass. As soon as they take it away or introduce a new tier of features or even removing features of it, they will swarming away from Plex.

And they will!

OC never said anything to do with your comment, you seem to be really offended by recommending an alternative to a tool that you use.

As I said, when you know the exact path of a media item on the server then you can check if the item exists.

If you choose a none standard filepath its not an issue.

Should that be fixed yes.

Whats the scenario? A law firm could brute force check all media items on open jellyfin servers? Highly illegal to exploit something like this in a lot of jurisdiction. And would also not proof the existence of the media on the server, just a file named like it.

Mitigation? Just add another random letter in the docker-compose mount path.

Have you even read the issues and understood them?

Yes, those should be fixed, but unless you are worried about someone hijacking a video stream when you use a generic media path, there is not that much to worry about.

deleted by creator