If you believe the threat of a company scanning a Jellyfin server in an attempt to find copyrighted media is a realistic one, then that’s fine. I do not.

your more worried about the data that secures your media more than the actual security of the media?

As I said previously, friends and family use my server. Many who are likely to fall for phishing attempts after their email is leaked in a breach like this. I believe the likelihood of them receiving a malicious email from an attacker pretending to be Plex after a breach is much higher than a company successfully scanning my server for copyrighted materials.

Edit:

Like I’ve said a few times. I agree that this should be changed. I do very much hope that Jellyfin does so, and I do feel that it’s worth warning users about. I also still find Jellyfin to be a better option for me than Plex. My own risk tolerance allows for the incredibly tiny possibility a company successfully finds media on my server.

There is no point in continuing this discussion, as we simply disagree, and that is not going to change here.

“ahh” doesn’t come from avoiding online censorship, like terms such as “unalived”. It’s just a co-opting of AAVE, something that happens very frequently online.

It’s not. It’s an MD5 of the filepath. UUIDs are generic and random, not specifically tied to something.

Fair enough, I was not aware of this, and I wish the developers made this more clear in the issue thread. This does not change my point that my media is not confidential data. I do agree that it should be by default, but a “breach” where someone accesses a piece of media from my server has no tangible impact on me or my server. A breach that includes my email and account information, absolutely does.

Depending on your security posture

Is exactly the problem I have though with the evangelical preaching all about jellyfin here. I’ve brought this topic up probably about a half dozen times in the 2 years I’ve been on lemmy… and a while longer before on Reddit. DOZENS of people comment the same things you are… and get it completely wrong. And many more end up messaging me or responding that they had no idea this was an issue. Yet I continue to see people singing praises of Jellyfin! and how it must be so much more secure! When it completely isn’t. So many people brush it off… then flip their shit about Plex doing something.

I don’t entirely understand what this response has to do with what I said. I’m surprised to hear you say that people praise Jellyfin as being far more secure than Plex, as I have not heard that. Security has nothing to do with why I use Jellyfin over Plex.

Overblown if you have mitigations? Sure… but how many do? And why are we treating software that is taking actual actions to better security as “Worse” than something that can’t clear a simple problem in 5+ years because devs don’t want to “break compatibility”.

I feel it’s overblown either way, as I don’t believe the average user considers their media sensitive enough for it to be an issue. I’m not treating Plex as worse. Again, I’M NOT THE ONE WHO SAID ANY OF THAT. I am simply stating that in this specific instance, this Plex breach has a worse impact than the Jellyfin security concerns you bring up.

Which immediately points to Jellyfin… as if it was “better” somehow. while downplaying the actual issue without actually reading what I’m complaining about

My guy, I didn’t start the comment thread, I’m not the one who brought up Jellyfin. I also believe I responded to every point I made, while you ignored many of mine. I don’t know how you can say I’m not reading your comment. You’re being very weirdly hostile when I’m just trying to have a conversation. I don’t have significant stakes in either Plex or Jellyfin. I do prefer one, but I don’t give a shit what others want to use.

Edit3: OH! forgot this as well… “well they’d need to know where to find servers before they can access them to check!” Yup… hello shodan! https://www.shodan.io/search?query=jellyfin Would be trivial to make a script that does all of this and crawls shodan or other sources for domain/ip information. Hell you can probably just look up all LE certs issued that contain “jf” or “jellyfin” or other permutations of subdomains too. But shodan has a list of 11,788 when I check… that’s not insignificant…

Just want to add that I’m not some completely uninformed user. I have a career in cybersecurity, as well as a degree and plenty of certifications. When discussing a vulnerability, we need to consider the actual risk of a vulnerability, using its likelihood of being exploited and its potential impact. The likelihood of someone attempting to brute force media on my Jellyfin is practically nonexistent, as they have essentially nothing to gain. At best, they find an episode of a show or movie that they could find elsewhere. The impact of someone exploiting this vulnerability is also practically nothing. They would get a stream of the video, minutely impacting the performance of my server.

Again, to be clear, I AGREE with sharing this information. People should be aware of this when using Jellyfin. However, it is not an issue for the majority of users. It is also not anywhere near as bad as a breach of actual account information, data that actually is sensitive. I do not agree with framing it to look like using Jellyfin should be considered generally insecure.

Edit: minor phrasing adjustments

Complete access to your media without authentication isn’t “don’t give you any data”.

The media on my server is not what I’d consider private data, it’s just media. If someone wants to spend their time brute forcing randomized UUIDs to have a minuscule chance of viewing some media on my server, then I really couldn’t care less. Especially since they’re gonna get blocked by http probing detection after a few tries.

If someone could the emails and hashed passwords, then I would care about the spam I’d be constantly receiving after and the possibility of my friends and family’s passwords being exposed, as not all of them use secure passwords (despite my best efforts to convince them to change that).

Simply put, if I was using Plex right now, this breach would impact the many family members and friends using my server, something I’d feel guilty about. Meanwhile, with Jellyfin, none of these concerns would have any effect on them.

Edit: You ninja edited your post… bad nettiquette.

I edited it right after posting because I accidentally clicked post. Didn’t think you’d respond that fast.

Meanwhile you’re all frothing at the mouth cause Plex leaked email addresses and encrypted passwords.

This was my only comment in the thread. Kinda feels like your reply here is taking out your frustration with this entire thread on my reply.

put the endpoints behind your own authentication through your reverse proxy.

Breaks every app for jellyfin including tv apps. So no. that’s not a valid answer.

I assumed you were talking about stuff besides media playback. There are other endpoints that can be secure using your reverse proxy without breaking any apps.

Jellyfin just lets everyone in that can guess a filepath

That’s not how the endpoint works. It is a randomized UUID.

Depending on your security posture, this may be an issue for you. It is not for me, and likely is not for many other users. My media is not sensitive information. My email and other identification info is.

Edit: formatting

Endpoints that dont give you any data that would be considered a breach.

That unauthentic endpoint shit is so overblown. They should be authenticated and I hope it changes in the future, but its really not a serious issue. If they worry you, put the endpoints behind your own authentication through your reverse proxy.

i guess it makes sense that the people who do it are chronically online and I’d never meet them in real life

I have never met a single person who is using those euphemisms outside of sites that will censor them.

Zero chance any of this is true.

most banks have zelle built into their own app. yeah zelle charges the bank a fee when you use it, but typically you aren’t paying any, unless you use a really shitty bank.

nearly every bank in the US uses Zelle which lets you send money to another persons account with no fees, just using their phone number. for some reason people just prefer to use stupid shit like venmo.

you dont need to install zelle it came free with your fucking bank account

No problem! In case you havent found it already, the packages and options are available to search here: https://search.nixos.org/packages

You need to add the package for your preferred editor to your configuration.nix and rebuild your system