Subsonic Forum

[text]

I have the server setup and running just fine. I have the android app running on my phone in conjunction with the server. Everything is beautiful. Well, almost everything.

I'd like to create a secure, possibly encrypted connection, between my phone the server. In fact, I want to create a secure connection between any user and the server, regardless of the platform. I have no idea how to do that.

I have checked box in the settings to "allow HTTPS on port 443". But how do I know it's a secure connection beyond that?

I went into the android and changed the server address to "https://blahblah.subsonic.org", and it resulted in a failure. I also tried changing it to "http://blahblah.subsonic.org:443", of course that didn't work either.

My ultimate goal here is to prevent my ISP, or any third party from viewing the data that is streaming to my phone, or to any other user accessing the server.

How do I set this up and ensure that privacy is guaranteed?

Thanks,
Text

[diffy]

When you enable https and connect to your subsonic using https, it's using https.
But when you say:
"I went into the android and changed the server address to "https://blahblah.subsonic.org", and it resulted in a failure. I also tried changing it to "http://blahblah.subsonic.org:443", of course that didn't work either."

What does the server log actually say about this? I'm connecting to mine just fine over https and all I had to do was to enable https. I also connect just fine using the Android client and on https non-standard port.
For added "obscurity" I have changed the https port to a high number, but as I said that is only a security through obscurity measure.

If you really NEED to be secure, if you are somewhere where freedom of information is oppressed like the US, China or the Middle East, then I would recommend looking into buying a VPN connection from someone like StrongVPN or similar. Then connecting your server up to that VPN provider and only accept connections through that IP address. All your ISP would see in this case would be a big blob of heavily encrypted data flowing back and forth between you and the VPN provider.

It would then be handy to use a dynamic dns provider as well, to update your dynamic hostname googleme. I'll stop ranting now

Is HTTPS safe? - This Answer is not mine, and is from another website:
---
So the conclusion is that: Yes https is a safe way to transfer data between you and a server, but most security problems happens after the transfer itself.

*Safe as in: Not even the best crypto experts have been able to break it, but it have not been 100% proven that it is safe.

Ok, I better clarify the safety bit. When talking about https there really are 2 different things which need to be safe, in order for the system to be safe.

a: The specification - This is the description of the math used to do the encryption. This part uses standard encryption algorithms and these are in general considered safe. To break the math behind the encryption you will among other things have to find a fast method to factor prime factors. This method in itself will give you a 1 million $ math price if you solve it. So the math part is rather safe.

b: The implementation - This is the code in the browser which implement the math mentioned in part a: This is the part which is most likely to give security problems, because it is very difficult to prove that the code is a correct implementation of the math in the https specification. And there have in the past been implementations which were incorrect and thus caused security problems. Most known is the bug in netscape 4 where they made a mistake so only 56 of the 128 bit in the encryption key were really random. But you should be pretty safe here, if you just upgrade your browser when new security upgrades become available.

But even if there were a security problem with https, a hacker would still need to be able to read the data between you and the server in order use this security hole. Something which is rather difficult, and normally require that he hacks a system which is located between you and the server.

Or you can just look at the history: In the entire history of the internet, information of millions of credit cards have been leaked. But in none of these cases have a security problem in https been used to gain access(I have at least never seen or heard about any such case, and google could not find any).

So when you make a list of possible security problems with internet trade, a bug in ssl is very very far down the list of things you need to worry about.

(And I am talking about the modern 128bit ssl. The older versions(56 and 64 bit) are not safe anymore due to increased cpu performance).
---
source: http://superuser.com/questions/225472/how-safe-is-https

[text]

Thanks for your reply, diffy. I appreciate it.

I have an offshore VPN service. The problem with using the VPN to access password protected content is that the IP address on the VPN is shared. So the flaw should be obvious. I'm just too scared that someone could be watching the tap, so to speak. I never log into any services with a VPN. I could use a VPN with a dedicated IP address, but then my identify would not be as obscure as sharing an IP with 1000 people. This VPN is an ipsec VPN (and I know it's not the most secure platform).

Moving on...

if I go to the android app and change the server address to "https://myservername.subsonic.org", I get a failing connection. "A network error occurred. Retrying 1 of 4. Then it quickly will jump to "Connection failure. A network error occurred. Please check the server address or try again later"

Here is a screen shot of the settings on my subsonic app running on the server.



Obviously there is something I'm doing wrong. Any suggestions?
By the way, I've got the port forwarded on the router, both 121 and 443 are forwarding the connection. Is it necessary to forward both ports? Is my router rejecting the HTTPS connection?

It baffles me because the android app doesn't ask me for the port number anywhere. So if I wanted to access the server via 443, there is no setting in the app to specify that.

[bushman4]

There is your problem.

Subsonic.org runs a redirect service. Not a DNS service. But it only operates on port 80 (standard web traffic).

Think about it this way... instead of your server saying "hey, what is the IP address for blah.subsonic.org?" and getting your ip address, it is given the IP address of the Subsonic Web Server, but when it contacts that web server, the web server itself redirects the client to your real IP address.

Here's how it works...

1. When your subsonic server starts up, it registers it's HTTP information ONLY (including IP address, port, and context path) with Subsonic.org's server.
2. When anyone (including your phone) requests http://blah.subsonic.org from the subsonic server, it receives a "temporarily unavailable, please try this address" message, and the address provided is http://your.ip.address:YourHTTPPort/contextpath. (with actual IP Address, HTTP Port, and Context Path obviously)
3. If your server is set up for HTTPS, then YOUR SERVER will then reply with a similar "temporarily unavailable, please try this address" message, but this time will give the address of https://your.ip.address:YourHTTPSPort/context path.
4. Your client connects to that final address.

So, trying to contact HTTPS://blah.subsonic.org will never work because the redirect is not running on port 443 (the default HTTPS port) on the subsonic servers. Your choices come down to:

• http://blah.subsonic.org - let both redirects happen, and be secure (but with no visual cue that you are in any of the alternate clients)
• http://your.ip.address:YourHTTPPort/contextpath - Let the second redirect happen but again with no visual cue.
• https://your.ip.address:YourHTTPSPort/contextpath - secure in the knowledge it is all secure, but out of luck if your IP address happens to change.

To put it bluntly, if you have your local subsonic server set up with HTTPS then the only thing that it should ever reply on the non HTTPS port is the second redirect to the secure HTTPS port address. So if you have HTTPS turned on and you are accessing your server successfully, it is over HTTPS and secure.

Hope this helps explain it,

Glenn

[text]

Thanks for your reply, Glenn. I think it's working now

I tried https://my.ip.address:portnumber/context path
it works

This means that my connection is secure with https?

Also, if you wouldn't mind telling me what SSL is and if it's a more secure way of accessing the server. And how do I use that protocol?


Also, if you would please, tell me if my router needs to have both ports 121 and 443 open.

Thanks,
Text

[bushman4]

SSL and HTTPS are the same thing, essentially. Well, not really, but in this context...

SSL is the encryption used, HTTPS is the transport used. So any traffic over HTTPS should be encrypted via SSL (the Secure Socket layer).

From the Wiki article on HTTP Secure:

Hypertext Transfer Protocol Secure (HTTPS) is a combination of Hypertext Transfer Protocol (HTTP) with SSL/TLS protocol. It provides encrypted communication and secure identification of a network web server. HTTPS connections are often used for payment transactions on the World Wide Web and for sensitive transactions in corporate information systems.

But to my last point... If you have SSL turned on on your subsonic server you should feel comfortable leaving the server address as http://blah.subsonic.org because the only thing that a subsonic media server should ever reply on the standard port (if HTTPS is set up) is "Sorry, that's not available, try here: https://... " and send you to the HTTPS port.

But if it makes you feel better to actually see the https:// in the address, by all means, leave it as it is. Just know that you are losing out on the "Dynamic IP Registration" feature that Subsonic.org provides to registered users... if your IP address changes, you will have to manually change your server address.

Glad I could help,

Glenn

[bushman4]

If you are not using the redirects at all (ie, if your server address is set up to https://your.ip.address:YourHTTPSPort/ContextPath like you said it was two messages above) then you only need to open the HTTPS port.

But again, I would not do that... I would leave them both open and let the initial connection happen over HTTP and be redirected to the HTTPS address.

Glenn

[text]

Got it.

Thanks man. Have a nice day.