Subsonic Forum

[pschroeder]

I propose that when connecting to a Subsonic server by SSL (https) that invalid (self-signed) security certificates have to be acknowledged by the user. Without this feature, using a WiFi in a non-secure location (i.e. basically everywhere) would make the app prone to a man-in-the-middle attack.

P.S.: This is meant for the Android app.

[philip550c]

that would be really annoying and most people would find the app to be a pain to use and they would just think that what they are doing is dangerous

[daneren2005]

Nah, any sane implementation would only ask about the certificate either 0 or 1 times. The first time it's loaded you would save the certificate, then after that only throw a warning message if the certificate is different. And if it does change, the user most definitely needs to be alarmed about it.

PS This has been on my todo list for a while for DSub, but it is unreasonably difficult on Android

[philip550c]

Nah, any sane implementation would only ask about the certificate either 0 or 1 times. The first time it's loaded you would save the certificate, then after that only throw a warning message if the certificate is different. And if it does change, the user most definitely needs to be alarmed about it.

PS This has been on my todo list for a while for DSub, but it is unreasonably difficult on Android

Well 0 times would defeat the OP request and while I agree that asking once wouldnt be a problem to me, I have users ask me all the time why theres an "error" on my subsonic page and my other self hosted services and "am I sure that they wont get a virus?". You are a dev and it wouldnt cross your mind but for the average person its a big red flag, they already think just entering in the url, username and password is difficult.

Do the subsonic and dsub apps not use ssl? I always assumed they were just accepting the certificate automatically? Is this not the case?

PS: I will be buying the dsub app as soon as you are done implementing the chat tab. Thanks so much, I have wanted that for a long time.

[daneren2005]

Nah, any sane implementation would only ask about the certificate either 0 or 1 times. The first time it's loaded you would save the certificate, then after that only throw a warning message if the certificate is different. And if it does change, the user most definitely needs to be alarmed about it.

PS This has been on my todo list for a while for DSub, but it is unreasonably difficult on Android

Well 0 times would defeat the OP request and while I agree that asking once wouldnt be a problem to me, I have users ask me all the time why theres an "error" on my subsonic page and my other self hosted services and "am I sure that they wont get a virus?". You are a dev and it wouldnt cross your mind but for the average person its a big red flag, they already think just entering in the url, username and password is difficult.

Do the subsonic and dsub apps not use ssl? I always assumed they were just accepting the certificate automatically? Is this not the case?

PS: I will be buying the dsub app as soon as you are done implementing the chat tab. Thanks so much, I have wanted that for a long time.

I definitely understand that it's a red flag for normal users. Hell, it's a red flag for me. There is something about that error page that just makes it feel like pressing ok is wrong. But that doesn't really matter for the app side, because yes they are just accepting certificates automatically right now. When I stop accepting all certificates, I would be saving it so the user would only be asked once. Let me explain the 0 or 1 comment a little more. I would actually lean more towards the 0 side simply because it really doesn't matter what message I pop up the first time. If the user thinks they are connecting to the correct server, they will just accept it. This is what is going to happen the first time, so in a lot of ways there really is no point in even asking. And like you said, asking the first time will just confuse most people unnecessarily, just like it does when the browser throws those messages. Where the security part jumps in is IF there already exists a saved certificate for the site, and it doesn't match the one the app gets. THEN is when you want to ask the user, because it should definitely be sending a red flag. Either the admin has changed the certificate and you just click through and have it be changed, or he hasn't and that is how you know you are being attacked by a MitM attack.

[philip550c]

Nah, any sane implementation would only ask about the certificate either 0 or 1 times. The first time it's loaded you would save the certificate, then after that only throw a warning message if the certificate is different. And if it does change, the user most definitely needs to be alarmed about it.

PS This has been on my todo list for a while for DSub, but it is unreasonably difficult on Android

Well 0 times would defeat the OP request and while I agree that asking once wouldnt be a problem to me, I have users ask me all the time why theres an "error" on my subsonic page and my other self hosted services and "am I sure that they wont get a virus?". You are a dev and it wouldnt cross your mind but for the average person its a big red flag, they already think just entering in the url, username and password is difficult.

Do the subsonic and dsub apps not use ssl? I always assumed they were just accepting the certificate automatically? Is this not the case?

PS: I will be buying the dsub app as soon as you are done implementing the chat tab. Thanks so much, I have wanted that for a long time.

I definitely understand that it's a red flag for normal users. Hell, it's a red flag for me. There is something about that error page that just makes it feel like pressing ok is wrong. But that doesn't really matter for the app side, because yes they are just accepting certificates automatically right now. When I stop accepting all certificates, I would be saving it so the user would only be asked once. Let me explain the 0 or 1 comment a little more. I would actually lean more towards the 0 side simply because it really doesn't matter what message I pop up the first time. If the user thinks they are connecting to the correct server, they will just accept it. This is what is going to happen the first time, so in a lot of ways there really is no point in even asking. And like you said, asking the first time will just confuse most people unnecessarily, just like it does when the browser throws those messages. Where the security part jumps in is IF there already exists a saved certificate for the site, and it doesn't match the one the app gets. THEN is when you want to ask the user, because it should definitely be sending a red flag. Either the admin has changed the certificate and you just click through and have it be changed, or he hasn't and that is how you know you are being attacked by a MitM attack.

Ah OK. That actually would be great. Thanks for the clarification.

[pschroeder]

that would be really annoying and most people would find the app to be a pain to use and they would just think that what they are doing is dangerous

Well, frankly it is. Either they know what is going on and can handle it (in which case they can decide whether it's dangerous or not without getting a panick attack) or they do not and than they should stay the hell away from it. And shame on everybody who forces them to use an unsigned certificate without sitting them down and explaining in length how SSL and certificates work and what this error message means. In some areas, where self-signed certificates are used by friends, colleagues or even internally in some institutions and companies, people get conditioned to just ignore these warnings and accept it every single time. So what happens when they go to their bank's website and get greeted with the same warning? They just accept it and move on to enter their login credentials. Is that the goal?

Now saying that just ignoring this situation in the app is much better, as now nobody has any control anyway, is just as bad. Basically subsonic provides access to YOUR data to the world. Don't you agree that this must be protected? Aside that anybody could see all your media if they have your password, it's also likely that your account is the admin and they can add your other files to the interface. And it also opens up access to subsonic itself, making bugs exploitable globally. If an app KNOWS that the certificate may not be valid, it is a good (and ideally legally required, if you ask me) idea to ask the user to verify it.

But that doesn't really matter for the app side, because yes they are just accepting certificates automatically right now. When I stop accepting all certificates, I would be saving it so the user would only be asked once. Let me explain the 0 or 1 comment a little more. I would actually lean more towards the 0 side simply because it really doesn't matter what message I pop up the first time. If the user thinks they are connecting to the correct server, they will just accept it. This is what is going to happen the first time, so in a lot of ways there really is no point in even asking. And like you said, asking the first time will just confuse most people unnecessarily, just like it does when the browser throws those messages. Where the security part jumps in is IF there already exists a saved certificate for the site, and it doesn't match the one the app gets. THEN is when you want to ask the user, because it should definitely be sending a red flag. Either the admin has changed the certificate and you just click through and have it be changed, or he hasn't and that is how you know you are being attacked by a MitM attack.

I agree that after the first time the certificate should be remembered - after all nobody is going to check the finger print every single time (which just leads to the mentioned behavior of starting to ignore it). However I disagree that there should be no warning the first time. It doesn't have to be worded like the world is about to explode, but it should give users the opportunity to verify whether they are connected with the correct server (e.g. by displaying the fingerprint and asking them to verify it). If they ignore that and just accept, fine - that's their problem. But not giving them the choice is frivolous.

[daneren2005]

Lol, really, frivolous? Odd choice of words. But on to the actual point, you have a better chance of being struck by lightning then happening to already be in the middle of a MitM attack the first time you connect to the server. Not only that, but there are probably a thousand people on the entire planet that would actually log on to their server and check the fingerprint of the server against what is being shown. It seems entirely pointless to even bother users with a pointless prompt on the first connect.

[philip550c]

that would be really annoying and most people would find the app to be a pain to use and they would just think that what they are doing is dangerous

Well, frankly it is. Either they know what is going on and can handle it (in which case they can decide whether it's dangerous or not without getting a panick attack) or they do not and than they should stay the hell away from it. And shame on everybody who forces them to use an unsigned certificate without sitting them down and explaining in length how SSL and certificates work and what this error message means. In some areas, where self-signed certificates are used by friends, colleagues or even internally in some institutions and companies, people get conditioned to just ignore these warnings and accept it every single time. So what happens when they go to their bank's website and get greeted with the same warning? They just accept it and move on to enter their login credentials. Is that the goal?

Now saying that just ignoring this situation in the app is much better, as now nobody has any control anyway, is just as bad. Basically subsonic provides access to YOUR data to the world. Don't you agree that this must be protected? Aside that anybody could see all your media if they have your password, it's also likely that your account is the admin and they can add your other files to the interface. And it also opens up access to subsonic itself, making bugs exploitable globally. If an app KNOWS that the certificate may not be valid, it is a good (and ideally legally required, if you ask me) idea to ask the user to verify it.

Oh yeah shame on me for not explaining to my friends the details of how ssl certificates work , I take it you have never had to explain anything to average computer users. I have users telling me that chrome is too complicated for them to learn and they prefer using internet explorer. Or that when they start up their browser it doesnt go to the internet (they mean google.com) but goes to something else (they mean bing.com). I really dont have time to explain ssl to anybody, and they automatically think self signed warnings are bad anyway so if their bank site suddenly asks them to accept a certificate with a big fat warning on it they wont.

And what other files can they add? All the linux system files from my dedicated subsonic VM? Dont care. They can even login to subsonic and run arbitrary code and mess my whole server up and I could just restore it in a few mins. Even if they blow away all my media, I have backups. Shame on anyone whom doesnt.

[manwithaplan]

Ummm, can someone explain to me what is so hard about purchasing a real, trusted, root-CA signed cert, and using it on your SS server??? I wrote a tutorial up for Mac OSX Server showing exactly how to install one, and others have done the same for other platforms. A real cert can be had for about 50 bucks these days, and renders this discussion about cert warnings moot. Seems to me if you can't be bothered to put a real cert on your page you shouldn't be using SSL in the first place.

[bushman4]

The certificate would have to have all of the names listed on it that you expect Subsonic to be contacted via.

So, in my case that would be:

An internal IP address (for clients inside the network)
my external IP address (for clients outside the network)
My vanity homeserver.com domain name (because I have some clients that are still set up that way from before I set up a vanity subsonic.org domain name).

I agree that it is not difficult to set up. But the first time your ISP changes your external IP address the certificate will become invalid again for all outside clients accessing via the ip address or vanity subsonic.org address.

So it is not that it is hard to set up, but it is hard to maintain.

HTH,

Glenn

[daneren2005]

And most people really don't want to have a recurring payment just for a full certificate lol

Sent from my HTC One X using Tapatalk 2

[manwithaplan]

Bushman,

You're assumptions are wrong...you don't need the cert to have every hostname on it, unless you stupidly use separate names for it internally than externally (in which case you would need a wildcard cert if you want to maintain that structure). I would simply change your internal hostname to be exactly as your external, and then do split DNS. Yes, you may have to communicate the hostname change to your users, but the benefit is that you'd have a single web address for everyone, whether they are external, internal, connected via VPN (internal), or whatever. Imagine that, a bookmark that truly works perfectly no matter where the user is at any moment in time!

2 things. First, some ISP's will give static IP's to you - for a fee of course, but yes, I have static IP's. You could also use Dynamic DNS service as an alternative. Secondly, your issue of internal IP/external IP goes out the window with proper split DNS. If you have a machine you use internally as your internal DNS server, simply create an A record in internal DNS pointing from the hostname to the internal IP and the cert warning will not occur (again, assuming you have a real cert on there that matches the hostname). Then, in your domain's external DNS (usually hosted at your registrar or ISP), point the external A record at the corresponding public hostname of the SS server (should be the same name as the internal hostname). Those folks outside will not get a cert warning either then.

Buy a 3 year cert, and forget about it for a while, then renew after 3 years. Same as any administrator of any SSL site on the planet would do. I don't see why this is "hard to maintain"...every web host on the planet using SSL faces these routine tasks all the time. If you can run and maintain and modify(!) SS, you can handle the proper SSL setup.

[bushman4]

I was (and am) operating under the assumption that most people are using the Subsonic.org vanity name redirection service, and I guess I should have stated so. I understand exactly what you are saying about how it could be done fairly easily. But that is nowhere near the "standard" setup, nor is it discussed anywhere but here on the user forums, where MAYBE 1% of subsonic users visit occasionally.

"Out of the box," the product uses the built in vanity redirect service which means that the connection to the actual subsonic server will either be via the host name of <External IP Address> or <Internal IP address>. These are the circumstances of which I speak.

Glenn

[manwithaplan]

Ahhhh, okay, I see. Yes, I am NOT using the *.subsonic.org naming, but my own domain and FQDN, and own static IP's instead. I've modified everything to use "Share" links and such that reference my own personal domain/hostname, etc. etc. I guess if I were using the subsonic.org domain, I wouldn't even bother with SSL probably. I use SSL because my users are all sourced in an LDAP directory which also serves other services to them, and sending passwords in the clear via HTTP is not my idea of a Good Thing(TM) Security first as it turns out. Cheers Bushman, we are on the same page now.