Jellyfin dev team is not in charge of your self hosted security though. You know what you are getting, source code available, and it’s up to you setting the security.
Comment on Plex got hacked.
thelittleblackbird@lemmy.world 2 months agoY hope you know how to harden jellyfinn, because they are not better than plex team…
daniskarma@lemmy.dbzer0.com 2 months ago
thelittleblackbird@lemmy.world 2 months ago
But they are responsible for the unsecured / gruyere cheese product they ship.
Jellyfinn has a lot of holes and it is easy to deploy it in a insecure way by not techie people. Last time I checked they even didn’t have a recommended practices for hardening it
daniskarma@lemmy.dbzer0.com 2 months ago
Not techie people are not going to be able to open it for internet access. If you have the knowledge to set a internet available service you should have the knowledge to be able to provide basic security.
Most security issues with jellyfin are an issue only for a specific type of user. The one who is selling access to their server. The worst Jellyfin security issue makes selling access to your server a higher risk situation.
I hope someday those issues would get patched, but I get why there are other priorities for the dev team right now, about issues that bother to a bigger majority of jellyfin users.
thelittleblackbird@lemmy.world 2 months ago
Well, when I was talking about not techie people I didn’t mean technology analphabets, everybody can open a port in your consumer router with the help of chatgpt, not everybodies is able to realizes they need a reverse proxy with tls and modify the headers for the Auth…
Being secure in internet is like the herd inmunity for corona times, your system could be fairly secure, but if you are hammered with several bot nets it is going to be a challenge, and there is responsabiity is shipping a product that is easy to be infected.
And your third paragraph really confirms why this post is necessary
rezifon@lemmy.world 2 months ago
Every year Jellyfin improves and Plex further enshittifies. You’re fighting against the tide here.
thelittleblackbird@lemmy.world 2 months ago
???
This is not about enshitification. The best user friendly app can be a security nightmare and an utterly crap can be rock solid.
It is not about that, not even development models or just rock star programmers.
It is about who has a performing security team and who doesn’t.
rezifon@lemmy.world 2 months ago
None of Jellyfin’s security issues affect me.
All of Plex’s shit does.
thelittleblackbird@lemmy.world 2 months ago
If they don’t have a team, they don’t regularly look, if they dont look, they don’t report, if they don’t report your analysis maybe biased because you can only check about what you know…
I hope you can see my point
Waryle@jlai.lu 2 months ago
My Jellyfin is behind a Crowdsec + Cloudflare proxy with geoblocking and other protections + Reverse Proxy with additional protections, in a rootless Docker container with no access to the Docker socket, and has only access to a mounted folder which contains just downloaded movies and shows. The effort to break in is high, the reward very low.
But the most important difference between Jellyfin and Plex is that neither Jellyfin devs nor Jellyfin instances have any personal or credit card information from their users, and therefore are way less a problem of hacked into.
thelittleblackbird@lemmy.world 2 months ago
Good to read you know how to implement some protection layers around your jellyfinn :)
But most of the people (specially the plex ones) don’t have the technical background to deploy something like you have, and convince those people to do the switch without knowing how to protect themselves is not a wise thing to do. Specially when this time, plex response was perfectly fine :)
Waryle@jlai.lu 2 months ago
I already answered your second paragraph: Jellyfin holds no sensible data.
And there is no central server gathering data from all users, an hacker would need to find and break in multiple Jellyfin instances, to get useless data from 1 to maybe 10 users each time.
And Plex is not easier to install and secure than Jellyfin.
MaggiWuerze@feddit.org 2 months ago
Maybe if you don’t live in a country where piracy is actively prosecuted
thelittleblackbird@lemmy.world 2 months ago
Sometimes your data is not important but your computer, nobody wants to be in a netbot.
Well, perhaps plex is not better in security (we don’t know for sure) but at least they have a cyber team, a monitoring system and in every bodies hope, dedicated developers for these topics.
Jellyfinn dies not hve a team like this one per se. Could the developers be better fit and knowledged in jellyfinn than plex? Perhaps, but probably the focus is in the features and not in the security
dogs0n@sh.itjust.works 2 months ago
Seems weird to say, because I had to setup Plex one time on a server for testing and it was a bit harder than setting up Jellyfin, so I wouldn’t call most Plex hosters dumb.
Plus they are still hosting something on their servers, they would still need to secure it in some ways?
thelittleblackbird@lemmy.world 2 months ago
Jellyfinn has a nice record of problems during the authentication and escalating privileges, even the developer team recommends to use it behind a vpn and don’t expose it to internet.
If course, you can use a reverse proxy with and external Auth framework to mitigate it, pair it with fail2ban, geo restrictions and a second factor, but those things are not in the scope of the regular user.
Let’s face reality, plex is not such widespread for being the default option in kali Linux…
MaggiWuerze@feddit.org 2 months ago
You’re exactly the kind of Jellyfin user the rest has to thank for the devs lax approach to security. If you actually demanded even basic security, the devs would maybe at least consider it a priority.
But until it no longer provides an unsecured API, you should maybe think about whether you want to portrait it as secure.