Comment on Plex got hacked.
Waryle@jlai.lu 18 hours agoMy Jellyfin is behind a Crowdsec + Cloudflare proxy with geoblocking and other protections + Reverse Proxy with additional protections, in a rootless Docker container with no access to the Docker socket, and has only access to a mounted folder which contains just downloaded movies and shows. The effort to break in is high, the reward very low.
But the most important difference between Jellyfin and Plex is that neither Jellyfin devs nor Jellyfin instances have any personal or credit card information from their users, and therefore are way less a problem of hacked into.
thelittleblackbird@lemmy.world 17 hours ago
Good to read you know how to implement some protection layers around your jellyfinn :)
But most of the people (specially the plex ones) don’t have the technical background to deploy something like you have, and convince those people to do the switch without knowing how to protect themselves is not a wise thing to do. Specially when this time, plex response was perfectly fine :)
Waryle@jlai.lu 15 hours ago
I already answered your second paragraph: Jellyfin holds no sensible data.
And there is no central server gathering data from all users, an hacker would need to find and break in multiple Jellyfin instances, to get useless data from 1 to maybe 10 users each time.
And Plex is not easier to install and secure than Jellyfin.
MaggiWuerze@feddit.org 14 hours ago
Maybe if you don’t live in a country where piracy is actively prosecuted
thelittleblackbird@lemmy.world 13 hours ago
Sometimes your data is not important but your computer, nobody wants to be in a netbot.
Well, perhaps plex is not better in security (we don’t know for sure) but at least they have a cyber team, a monitoring system and in every bodies hope, dedicated developers for these topics.
Jellyfinn dies not hve a team like this one per se. Could the developers be better fit and knowledged in jellyfinn than plex? Perhaps, but probably the focus is in the features and not in the security
dogs0n@sh.itjust.works 15 hours ago
Seems weird to say, because I had to setup Plex one time on a server for testing and it was a bit harder than setting up Jellyfin, so I wouldn’t call most Plex hosters dumb.
Plus they are still hosting something on their servers, they would still need to secure it in some ways?
thelittleblackbird@lemmy.world 13 hours ago
Jellyfinn has a nice record of problems during the authentication and escalating privileges, even the developer team recommends to use it behind a vpn and don’t expose it to internet.
If course, you can use a reverse proxy with and external Auth framework to mitigate it, pair it with fail2ban, geo restrictions and a second factor, but those things are not in the scope of the regular user.
Let’s face reality, plex is not such widespread for being the default option in kali Linux…
dogs0n@sh.itjust.works 1 hour ago
I think the only advice I have seen is to use jellyfin behind a reverse proxy (instead of directly exposing it), because they are hardened.
Where have you seen this official advice for a vpn?
MaggiWuerze@feddit.org 13 hours ago
You’re exactly the kind of Jellyfin user the rest has to thank for the devs lax approach to security. If you actually demanded even basic security, the devs would maybe at least consider it a priority.
But until it no longer provides an unsecured API, you should maybe think about whether you want to portrait it as secure.
dogs0n@sh.itjust.works 1 hour ago
Same with Plex, except more serious, they have data breach after data breach and I read comments here of people applauding the response and probably most will continue to use it.
If your threat model includes being scared people are gonna guess whats on your server and try playing it, then thats up to you, personally It’s not something I’m worried about in contrast.