Home of the Squeezebox™ & Transporter® network music players.
Page 1 of 2 12 LastLast
Results 1 to 10 of 16
  1. #1
    Senior Member
    Join Date
    Mar 2008
    Posts
    603

    https for internal network?

    A friend is finally getting his music online and is looking at LMS alternatives due to the fact that, as far as either of us can tell, all communication via the web interface, smartphone/tablet clients, etc. is vanilla http and not https.

    I don't recall ever reading complaints about this here before and am wondering if anyone else views this as a real problem. His concern is that somehow malware will ride in somehow and...I'm not entirely sure.

    One specific complaint he has is plain text login to the server, which makes me wonder if there's any reason to have a password in the first place if you aren't opening ports (bad idea!) and aren't trying to keep kids out.

    Is he overreacting or are we fans just accepting the risk because everything else about LMS works so well?

    He's talking about going to dark side and getting $ono$ on the assumption that it's more secure.

    Any and all advice is welcome.

  2. #2
    Senior Member
    Join Date
    Feb 2011
    Location
    Cheshire, UK
    Posts
    6,234
    Quote Originally Posted by atrocity View Post
    A friend is finally getting his music online and is looking at LMS alternatives due to the fact that, as far as either of us can tell, all communication via the web interface, smartphone/tablet clients, etc. is vanilla http and not https.

    I don't recall ever reading complaints about this here before and am wondering if anyone else views this as a real problem. His concern is that somehow malware will ride in somehow and...I'm not entirely sure.

    One specific complaint he has is plain text login to the server, which makes me wonder if there's any reason to have a password in the first place if you aren't opening ports (bad idea!) and aren't trying to keep kids out.

    Is he overreacting or are we fans just accepting the risk because everything else about LMS works so well?

    He's talking about going to dark side and getting $ono$ on the assumption that it's more secure.

    Any and all advice is welcome.
    No significant risk. http via port 80 on an internal network is commonplace.
    I'd hazard to say that most of us don't use a password on the web interface at all - it gets in the way of things.
    Jim
    https://jukeradio.double6.net


    VB2.4 storage QNAP TS419p (NFS)
    Living Room Joggler & Pi4/Khadas -> Onkyo TXNR686 -> Celestion F20s
    Office Joggler & Pi3 -> Denon RCD N8 -> Celestion F10s
    Dining Room SB Radio
    Bedroom (Bedside) Pi Zero+DAC ->ToppingTP21 ->AKG Headphones
    Bedroom (TV) & Bathroom SB Touch ->Denon AVR ->Mordaunt Short M10s + Kef ceiling speakers
    Guest Room Joggler > Topping Amp -> Wharfedale Modus Cubes

  3. #3
    Senior Member
    Join Date
    Feb 2008
    Posts
    5,306
    Quote Originally Posted by atrocity View Post
    A friend is finally getting his music online and is looking at LMS alternatives due to the fact that, as far as either of us can tell, all communication via the web interface, smartphone/tablet clients, etc. is vanilla http and not https.

    I don't recall ever reading complaints about this here before and am wondering if anyone else views this as a real problem. His concern is that somehow malware will ride in somehow and...I'm not entirely sure.

    One specific complaint he has is plain text login to the server, which makes me wonder if there's any reason to have a password in the first place if you aren't opening ports (bad idea!) and aren't trying to keep kids out.

    Is he overreacting or are we fans just accepting the risk because everything else about LMS works so well?

    He's talking about going to dark side and getting $ono$ on the assumption that it's more secure.

    Any and all advice is welcome.
    Sonos? It uses Samba ver 1 - so there's a huge risk for a start (if you're that paranoid).

    LMS doesn't need a password to login (whatever login means) because you don't login unless you are trying to access from outside your home network.
    ------------------------------------------------------------------------------------

  4. #4
    Member
    Join Date
    Jun 2020
    Location
    UK
    Posts
    68
    May be I should be worried my kids will delete my music - they do say most of it is awful.

  5. #5
    Senior Member
    Join Date
    Dec 2020
    Posts
    186
    I have no clue why you should set a password on LMS. I even showed my 8-year old how she could use an old phone (without SIM) as a graphical remote for her Boom. The HTTP interface also only executes specifically coded content, so there is no possible exploit in the form of arbitrary code injection - which in fact will work on https sites as well. Lastly the only people able to sniff out traffic between you and the LMS server has to be on the same LAN where you are most likely running the most unsafe protocol in existence, namely SMB otherwise known as Windows file sharing. Exception of course if ports were opened to allow control over the internet but why on earth would anyone want to control music in some room while being literally miles away from it?

    That said, I actually access my LMS through an Apache proxy which eliminates the `:9000` in the URI. If one really, really insists on HTTPS then adding it at this level is even less than a piece of cake.

  6. #6
    Junior Member
    Join Date
    Oct 2021
    Posts
    3

    I think port 9000 should definitely have a password

    Here's a couple of reasons I think port 9000 should have a password:

    1. Port 9000 lets you do some things that should only be done by an authenticated administrator. Two examples are setting passwords and turning CSRF protection on/off.
    2. The password can be set without having to enter the old password.
    3. The CVEDetails site shows that LMS has had security holes in the past, and we have to assume it has some today. Without a password, those holes are exploitable by anyone who has access to your network.
    4. Sonos has terrible security. I'm new here, so I don't know if LMS developers would care that better security is a competitive advantage over Sonos. Sonos can't offer it due to backwards-compatibility concerns.


    People who don't agree should be able to run without a password, but it should at least be an option

  7. #7
    Junior Member
    Join Date
    Oct 2021
    Posts
    3

    I also think there should be an HTTPS port

    One more thought: there ought to be a port 9443 that lets you interact with LMS over HTTPS. When I'm prompted for a login, Chrome displays a "basic auth" dialog box that tells me that my password will go over the network in the clear. Even if you don't think a password is necessary, we can all agree that passwords ought to be encrypted before they're sent across the network.

  8. #8
    Babelfish's Best Boy mherger's Avatar
    Join Date
    Apr 2005
    Location
    Switzerland
    Posts
    20,624

    https for internal network?

    > One more thought: there ought to be a port 9443 that lets you interact
    > with LMS over HTTPS. When I'm prompted for a login, Chrome displays a
    > "basic auth" dialog box that tells me that my password will go over the
    > network in the clear. Even if you don't think a password is necessary,
    > we can all agree that passwords ought to be encrypted before they're
    > sent across the network.


    Technically your points are valid. I'm sure you could somehow protect
    LMS using a proxy. But as the players don't support https, there are
    limits in what you can protect - they need access to non-encrypted http
    on port 9000.

    That said: if you fear that somebody who has access to your LAN would
    abuse this power to sniff your LMS password, then you got a bigger
    problem. Keep in mind that sniffing requires physical access to the
    network connection between your LMS machine and the client. Or the
    privilege to run the required tools on critical systems. Don't give
    anyone you don't trust this level of access to your network.

    LMS' password protection really is just to prevent the accidental change.

  9. #9
    Junior Member
    Join Date
    Oct 2021
    Posts
    3
    Quote Originally Posted by gordonb3 View Post
    That said, I actually access my LMS through an Apache proxy which eliminates the `:9000` in the URI. If one really, really insists on HTTPS then adding it at this level is even less than a piece of cake.
    Do you use the proxy just to eliminate the need to add ':9000' to the URL, or is there another reason? If you were to switch your proxy to use HTTPS, what would break?

  10. #10
    Senior Member
    Join Date
    Dec 2020
    Posts
    186
    Quote Originally Posted by rick_k View Post
    Do you use the proxy just to eliminate the need to add ':9000' to the URL, or is there another reason? If you were to switch your proxy to use HTTPS, what would break?
    No other reason and changing the communication to HTTPS wouldn't make it any different from a client perspective.

    Plain HTTP proxy:
    Code:
    <VirtualHost *:80>
    	ServerAdmin webmaster@localhost
    	ServerName <FQDN name>
    	ServerAlias <short name>
    	
    	RewriteEngine on
    	RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-f
    	RewriteRule ^/(.*)$ http://%{HTTP_HOST}:9000/$1 [NE,P,L]
    </VirtualHost>

    HTTPS proxy:
    Code:
    <VirtualHost *:443>
    	ServerAdmin webmaster@localhost
    	ServerName <FQDN name>
    
    	SSLEngine on
    	SSLCertificateFile      /etc/letsencrypt/live/<FQDN name>/fullchain.pem
    	SSLCertificateKeyFile   /etc/letsencrypt/live/<FQDN name>/privkey.pem
    	
    	RewriteEngine on
    	RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-f
    	RewriteRule ^/(.*)$ http://%{HTTP_HOST}:9000/$1 [NE,P,L]
    </VirtualHost>
    And to control access to LMS settings you could insert something like this:
    Code:
    	SSLVerifyClient		optional
    	SSLVerifyDepth		1
    	SSLOptions		+StdEnvVars
            SSLCADNRequestFile	/etc/apache2/MySnakeOilCA.crt
    
            <Location /settings>
                    RewriteEngine on
                    RewriteBase /settings
    		RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$
    		RewriteRule ^/(.*)$ - [R=500,L]
            </Location>
    This requires self-signed (aka `Snakeoil`) certificates because x509 client certificates must be verified by a local stored CA.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •