- cross-posted to:
- [email protected]
- cross-posted to:
- [email protected]
cross-posted from: https://poptalk.scrubbles.tech/post/2333639
I was just forwarded this someone in my household who watches our server. That’s it folks. I’ve been a hold out for a long time, but this is honestly it.
They want me to pay to stream content that I bought from my hardware transcoded also on my hardware.
I’ll say it. As of today, I say Plex is dead. Luckily I’ve been setting up Jellyfin, I guess it’s time to make it production ready.
Edit: I have a Plex Pass. More comments saying “Just buy a plex pass” are seriously not getting it. I have a Plex Pass and my users are still getting this.
And for the thousandth person who wants to say the same things to me:
- YES I know I’m unaffected as a Plex Pass owner.
- My users were immediately angry at it, which made me angry. Our users don’t understand what plex pass is, and they shouldn’t have to, that’s why I had it. The fact that they were pinged even though it should have kept working is horribly sloppy
- Plex is still removing functionality. I don’t care that “People should pay their fair share”. If Plex wants to put every new feature behind a paywall, that’s completely okay. They are removing functionality.
- “But they have cloud costs”. Remote streaming is negligible to them. It’s a dynamic DNS service. Plex client logs in, asks where server is, plex cloud responds with the IP and port of where server is located. That’s it.
- “Good luck finding another remote streaming” - Again, Plex just opens up an IP and port. Jellyfin also just opens up an IP and port (Hold on jellyfin folks I know, security, that’s a separate conversation). All “remote streaming” is is their dynamic dns. Literal pennies to them. Know what actually is costing them money? Hosting all of that ad-supported “free” content that they’re probably losing money on.
In short, I don’t care how you justify it. Plex is doing something shitty. They’re removing functionality that has been free for years. I’m not responding to any more of your comments repeating the same arguments over and over.
Put it behind a reverse proxy!
Great, so now the unauthenticated APIs are proxied instead of accessed directly. That changes nothing, it is still vulnerable.
I’m not sure if you know this, but…that doesn’t fix most of the security issues in the linked list. All the reverse proxy does is handle hostname resolution and TLS termination (if you are using TLS). If the application being proxies still has an unauthenticated API, anyone can access it. If there’s an RCE vulnerability in any of them, you might get hacked.
I run Jellyfin publicly, but I do it behind a separate, locked-down reverse proxy (e.g., it explicitly hangs up any request for a Host header other than Jellyfin’s), in a kubernetes cluster, and I keep its pod isolated in its own namespace with restricted access to everything local except to my library via read-only NFS volumes hosted on a separate TrueNAS box. If there is any hack, all they get access to is a container that can read my media files. Even that kind of bothers me, honestly.
The overwhelming majority of Jellyfin users do not take precautions like this and are likely pretty vulnerable. Plex has a security team to address vulnerabilities when they happen, so those users would likely be a lot safer. I appreciate the love for FOSS on Lemmy, but it is scary how little most folks here acknowledge the tradeoffs they are making.
I’ve spoken out on this same issue before… and as a previous security instructor/researcher… it’s fucking scary how many people shit on Plex for a platform that has had known vulnerabilities in auth for 4 years now, that’s existed since the previous code-base… so at least 7 years old and those issues existed in the previous emby codebase going back over a decade.
Plex isn’t perfect… there’s risks involved there too… but at least when something is brought up as a significant risk it seems to get fixed outside of the implicit risks of the Plex org itself.
All I read in these threads is effectively “WAAAH I don’t WANNA pay!”… Without realizing that the payment gave them something significantly more secure.
I’ve never used Plex, but the thing that stopped me from looking at it isn’t that it’s a paid service. It’s that it’s partially centralised, and starting to become hostile to its user base. This current change, locking down a previously free feature being an iconic example of that.
My partner and I fund two decently sized fediverse instances and a matrix instance mostly out of our own pockets. We do that precisely because we have both actively chosen to move away from centralised, user hostile social media platforms. And whilst Plex isn’t a social media platform, it is centralised and becoming more user hostile, and I won’t pay for that.
(And to be clear, I’m front of house, I’m not responsible for setting up our instances security :P)
I mean, that’s effectively the same boat I’m in. I run all my own stuff in my own cluster (recently posted some of it if you check my post history).
But putting up Jellyfin for any user that isn’t on your network is literally a security nightmare. I cannot run blatantly insecure software and leave it internet facing. It’s one thing if it was just found and they’re working on closing it… But this has been documented/known for 4 years. They’re not fixing it and have shown no interest in addressing it at all.
VPN is literally the only answer… and that breaks all TV-based access outright since none of them do VPN. Basic auth doesn’t work. Other forms of auths breaks all app access (leaving only browser). And each time any of these possible alternative answers come up, they’ve outright dismissed it.
If/When Plex finally gets hostile, I’ll simply turn it off. But I can’t let Jellyfin be what services my users, it just doesn’t work.