Support SSL/TLS for streaming #8301
Comments
|
Commented by: daschuer Since "auto" is broken we need a preferences option. |
|
Hi, is this closed because it's fixed? |
|
This issue is still open. |
Any ETA? Thanks |
|
nope. |
|
I'd like to get started on this. Perhaps before I dive into my plan for the Icecast/Shoutcast+TLS user story, I just was wondering if we could consider upgrading Back the the issue at hand, here is the suggested UI changes Kooha-2024-03-31-21-00-59.mp4labels to be rephrased! The feature will allow to :
What are your thoughts on this? It might sounds like potentially too much but would also be a great way to have Mixxx leading by example on enforcing proper security standard, while still allowing enough flexibility to get every config feasible. |
|
I have an experimental branch that updates to libshout-idjc 2.4.6 #4723 |
|
The GUI is already overwhelming. Can can we hide the encryption settings when disabled? |
Yes, I'm thinking of hiding all settings if |
|
Yes. We may also help the user to select a certificate. |
If we want to expose this, we can use a combobox with 3 values:
I do not think this is needed, just use the system CA store. If you have a self-singned cert, just import it there.
I have doubts about this. Are there even shoutcast servers that support mutual TLS instead of username/password? If we do not have any example, let's leave this out. What I'd suggest is that we add a button to auto-detect settings, similar to email clients nowadays. In the background it would try to make a TLS handshake with the server and tries the "best security" (modern) cipher suite list first. If the server does not support any cipher, try with medium security and if that doesn't work either we fall back to legacy. This will help users who are overwhelmed by this while still allowing flexibility for more experienced users. |
This compromises the whole system trust chain. I don't think we should encourage use importing self signed certificate in their root chain. I'm not saying this isn't the right approach in some case, but I think we need to allow test setup to work without compromising the global security of our user (and potentially also teach them bad habits). I will keep
A shoutcast server is an HTTP server, so it doesn't matter that *cast server support it or not. This is something that can be done on the proxy or ingress level easily (example).
That's bad security practices and this will expose our user to trivial downgrade attacks. FYI, that's already what the
The default option remains "Disabled" as it used to be (and so other settings will be hidden) so I am not sure what is overwhelming here (cypher to modern, CA defaults to |
|
For me it is unclear whether libshout-idjc 2.4.6 is mandatory for this issue or not. |
|
Do we have a user request, that rectifies the update? |
Technically, we don't. Only feature we get staring from |
This does not compromise the whole system trust chain. When you use a self signed certificate, you usually delete the CA private key immediately after signing, so unless you use a really short key size that makes it possible to derive the private key from the pub key, this does not impact your system security. And to be honest, using self signed certificates for anything other than development is bad practice anyway, since we have Let's Encrypt for self hosted stuff nowadays. I agree that we shouldn't encourage self signed certificates, that's why I think the additional complexity is not needed at all. But in case you really want to use self-signed certs, it is possible via the system trust store.
I really doubt someone is doing this, and this config option just adds complexity. All shoutcast implementation I know require username/password for client auth. Sure, you can add a proxy in front of it that requires it, but is that really realistic that someone does it? I'm not strictly against this, but I would rather not accumulate technical debt and make the UI more confusing when there are zero potential users we know of.
No, it's not the same. As far as I know the auto mode detected it on a per-connection basis. What I was suggesting is to auto-detect it once after configuration. Sure, there can be a downgrade attack if the attacker manages the intercept the connection in thr exact moment when the user first configures the connection. Afterwards, the values are fixed and a downgrade attack is not possible (unless the user goes back to the config and hits the "Detect settings" button again). And in the unlikely case that the attacker actually performs this attact in the right moment, this just affects autoselection and the user can still select higher security settings manually. To be honest, I suspect that this aforementioned downgrade attack at configuration time will work exactly the same in 99% of the cases even if we don't add such an "autodetect" button:
So we don't really lose anything here IMHO, just make configuration less cumbersome and make it possible to select secure defaults (see below).
If we leave the default on "TLS Disabled" the vast majority of users will not use it and just use insecure connections. For these user, all these changes we discuss here would have no benefit at all and just make UI more complicated. Security needs to be usable and enabled by default. Otherwise people just not use it. Hence my suggestion that after typing in the server connection data, we auto-detect security settings once (as described above) so that all users will use the highest TLS security setting supported by their shoutcast server by default. They can still modify these settings, but we avoid that people accidently expose their credentials over an insecure connection because they have no idea what TLS is or what settings their server supports. This would really bring a practical benefit for a large number of users (given that their servers support TLS - but it's 2024 after all, so I guess they do). |
|
Don't get me wrong, I really appreciate your push on this. And I'm not really against stuff like support for TLS Client Certs or custom certificates. But there are many more options: supporting certificate pinning, configuring OCSP stapling, etc. All of them might have some benefit for a few users, but the security improvement will be tiny and only affect a small group of people. In contrast, enabling TLS by default without requiring manual configuration will drastically improve security for a large number of users. This is why I think we should focus on that first. |
Reported by: Pegasus-RPG
Date: 2015-11-17T15:21:06Z
Status: Confirmed
Importance: Wishlist
Launchpad Issue: lp1517087
Tags: broadcast, easy, hackathon
Libshout 2.4.0 adds support for TLS/SSL so we should add the ability to set it explicitly. The library defaults to 'auto' if not explicitly set, but users may need the ability to force it.
The text was updated successfully, but these errors were encountered: