Comment on Moving from Cloudflare tunnels for media streaming, first plan didn't work out due to double NAT
SirMaple__@lemmy.ca 2 days agoComment on Moving from Cloudflare tunnels for media streaming, first plan didn't work out due to double NAT
SirMaple__@lemmy.ca 2 days ago
Strit@lemmy.linuxuserspace.show 2 days ago
Most of the relevant issues they link to has been closed and/or dealt with.
ChapulinColorado@lemmy.world 13 hours ago
You don’t have to take my word on this, but when you have so many vulnerabilities, the foundation and knowledge about security practices by the developers is missing some key ingredients.
I use Jellyfin. I like jellyfin. I would like people to use jellyfin, but do it responsibly.
Citing backwards compatibility is not an acceptable answer either. If individual endpoints and/or protocols (web sockets) are being addressed as separate issues, then there is no overall filter for the most basic thing as checking if the user is authenticated, you know a potential attacker will look for more.
Will they target jellyfin instead of your average government website with a low budget and similar issues? Unlikely, but possible if the level of effort is low and can potentially create a large botnet, maybe?
You handle these with overall filters (or whatever they are called on c#) and white lists if something truly needs not to have it instead of reacting when someone reports it.
The simple fact that some of the code was sending api keys as GET parameters (which get logged cross every access log in the middleware on its way to the target server) and it didn’t raise any flags seems sufficient enough to suggest DO NOT expose jellyfin directly to the internet.