We’re incredibly excited to let you know that we’re teaming up with DigiCert to provide all of you with high quality SSL certificates for your media servers, at no cost to you. Your media server will now be able to communicate securely with top-grade encryption. This may not sound like a big deal, but we’re not exaggerating when we say that this will be one of the largest implementations of publicly trusted certificates, ever.
When we first started our little operation so many years ago, the Internet was a much kinder and gentler place. Ah, the halcyon days before NSA wiretapping, ISP traffic shaping, POODLE, Heartbleed, and LaBRADooDLE.
Okay, I made that last one up, but it’s only a matter of time.
Needless to say, times have changed. In today’s Internet security climate, it’s a laughable offense if every packet leaving and entering your network is not encrypted, its recipient verified. The security community has rallied to create some truly amazing technology to enable this for traditional web sites. In a nutshell, your browser and your bank’s website work their asses off under the hood to render that coveted “green lock” which assures you that yes, the form that you’re typing your account number and password into is actually your bank’s and not, in fact, being served up by a golden retriever.
This is tricky enough when trying to secure a single web server, but for a system like Plex, comprised of a bazillion servers talking with clients running on every platform under the sun, it’s another matter entirely.
(At which point, the peanut gallery yells “Just add an S to wherever you were using HTTP. Duh.”)
Oh, if only it were that easy…
Let’s look at some of the complexities: For starters, secure communication requires something called a certificate, which securely identifies a website. Now anyone can make a (self-signed) certificate, but it can be tedious to install, and for a browser to trust it and give it that elusive green lock, it has to have been signed by a trusted authority. It’s a pretty laughable security experience if the browser warns you that your server isn’t trusted! We knew from the start that we needed real, official certificates, and there are a few problems with that. For starters, they’re expensive, especially when multiplied by a bazillion. And we knew we wanted to give a secure experience to everyone, not just our Plex Pass users. And that’s why we hooked up with the amazing team at DigiCert, and they were all “you want an ungodly amount of certs? We can do that!” So yeah, we’re buying you all DigiCert certificates for your media servers. Because we love you, and because your security and privacy is really important to us.
Secondly, as mentioned before, we’re on a lot of platforms, and there are lots of nuances to secure communication. For example, did you know that Internet Explorer requires Diffie-Hellman primes to be larger than 512 bits? Did you know that certain models of LG TVs ship with a specific set of root certificates which is missing some common ones you might expect? Frankly, I hope you have no clue what I’m talking about here, because it gave us some major headaches along the way, but if you’re nodding your head as you reach for your small-batch home brew IPA, send us a resume. No, really.
Next is the server itself, which doesn’t just have to support HTTPS, it has to do so avoiding many pitfalls, crocodiles, and whatever else was in that awesome game. Thankfully there are tools to help with that, and they even give you a grade. Let’s just say the Plex Media Server is an overachiever! Its parents are so proud.
Last of all, the media server can be accessed both remotely and on a LAN. At any given time, it may be accessible via multiple addresses. Certificates are generally associated with a small set of unchanging IP addresses. So we’ve worked some DNS magic to remove that limitation, and make things Just Work.
So what does it look like? Well, it might be a bit anticlimactic, because everything just works as it did before. Well, except for the BEAUTIFUL GREEN LOCK AND SECURE CONNECTION!
So what do you have to do? Well, update to the latest release (v0.9.12.3), and make sure you’re signed in. Also, check out our support article on the topic. We’ve silently pushed support for secure connections to Android, Roku (Preview app), the web app, Windows, and Plex Home Theater. (Gaming consoles and Smart TVs coming soon, and iOS is wrapping up a major release which includes full support for secure connections.)
Since all servers won’t update at the same time, we make it clear with a green lock which servers are secure. If you’re connecting to a friend’s server which isn’t, encourage them to upgrade. Cajole them with free alcohol. Or a cronut.
This release brought to you by upside-down Barkley. Who wants to give him a belly rub?