What’s the Deal With Secure Connections?
Why Is It Important?
When browsing the internet or making other connections these days, everyone wants to make sure that the communication taking place is secure and encrypted. Plex has teamed up with DigiCert to provide our users with high quality “SSL” secure certificates for your media servers, at no cost to you. There’s no need to set up VPNs and no need to create and install your own certs. You can safely and securely connect to your media no matter where you are.
After all, everyone loves to see beautiful green locks, right?
Our blog post announcing the release of secure communications spoke about some of the details:
Let’s look at some of the complexities: For starters, secure communication requires something called a certificate, which securely identifies a website. Now anyone can make a (self-signed) certificate, but it can be tedious to install, and for a browser to trust it and give it that elusive green lock, it has to have been signed by a trusted authority. It’s a pretty laughable security experience if the browser warns you that your server isn’t trusted! We knew from the start that we needed real, official certificates, and there are a few problems with that. For starters, they’re expensive, especially when multiplied by a bazillion. And we knew we wanted to give a secure experience to everyone, not just our Plex Pass users. And that’s why we hooked up with the amazing team at DigiCert, and they were all “you want an ungodly amount of certs? We can do that!” So yeah, we’re buying you all DigiCert certificates for your media servers. Because we love you.
Secondly, as mentioned before, we’re on a lot of platforms, and there are lots of nuances to secure communication. For example, did you know that Internet Explorer requires Diffie-Hellman parameters to be larger than 512 bits? Did you know that certain models of LG TVs ship with a specific set of root certificates which is missing some common ones you might expect? Frankly, I hope you have no clue what I’m talking about here, because it gave us some major headaches along the way.
Next is the server itself, which doesn’t just have to support HTTPS, it has to do so avoiding many pitfalls, crocodiles, and whatever else was in that awesome game. Thankfully there are tools to help with that, and they even give you a grade. Let’s just say the Plex Media Server is an overachiever! Its parents are so proud.
Last of all, the media server can be accessed both remotely and on a LAN. At any given time, it may be accessible via multiple addresses. Certificates are generally associated with a small set of unchanging IP addresses. So we’ve worked some DNS magic to remove that limitation, and make things Just Work.
The end result is that you get that beautiful green lock and a secure connection!
Tip!: While most users are familiar with “SSL”, the secure certificates issued to your Plex Media Server actually use TLS, an even higher level of security.
If you’re interested in some of the more technical details, Filippo Valsorda did an excellent writeup.
Related Page: Filippo Valsorda: How Plex is doing HTTPS for all its users
Are All the Communications Secured?
When you’re using a Plex app that supports secure connections (see below) to connect with a secure Plex Media Server, the requests to and communication with that Server are secure. If you stream media from the Server, that’s also secured. There are a few, very specific circumstances in which communication won’t be secure:
- Flinging or casting content using our Plex Companion protocol will not always be secure.
- When making use of a “Manual Connection” that you’ve specifically added in particular Plex apps (e.g. Android or Plex Media Player), the communication won’t be secure.
- Internal, local requests from the System and Framework components to the rest of the Plex Media Server are over regular HTTP. These requests are only on the local machine itself.
How to Enable Secure Connections
Enabling the ability to connect securely with your Plex Media Server is actually really easy. In fact, in a default installation, there isn’t even anything special you need to do, since things will already be set up for you.
- Secure connections require Plex Media Server version 0.9.12.3 or newer. So, make sure you’re running a current version of the server.
- Sign in to your Plex account in the server.
- Under Settings > Server > Network in the Plex Web App, make sure that the Secure Connections preference is not disabled (we recommend leaving it at the default setting of
The following Plex apps will support secure connections to your Plex Media Server:
- Amazon Fire TV
- Android (mobile)
- Android TV
- Apple TV
- PlayStation 4 (PS3 has device limitations)
- Plex Home Theater
- Plex Media Player
- Plex Web App
- Smart TVs and TiVo
- LG (“NetCast” only)
- Samsung (2016+ models)
- TiVo (Series 6 devices)
- Vizio (2017+ models)
- Windows and Windows Phone
- Xbox One (Xbox 360 has device limitations)
How Do I Know Connections Are Secure?
When a secure connection to a particular Plex Media Server is available, you’ll generally see a green “lock” icon next to the server name to let you know that it’s secure.
Plex Web App
When you go visit plex.tv/web in a browser, the app will automatically redirect as appropriate for you, based on whether the servers associated with your account (your own and shared with you) support secure connections:
- If your account is associated only with secure servers, you’ll connect securely to https://app.plex.tv/desktop
- If any of your associated servers don’t support secure connections, you’ll connect to http://app.plex.tv/desktop over regular HTTP
So, if you have all secure servers, you’ll get that awesome green lock in the browser!
Tip!: You can always manually go to https://app.plex.tv/desktop to force using a secure connection to Plex Web App. Of course, if your servers don’t support secure connections, then they won’t be accessible.
Connecting via HTTPS
When you connect to Plex Web App via HTTPS (e.g. https://app.plex.tv/desktop), you can be sure that all the connections are secure.
- For servers that support secure connections, they’ll be listed and have a green lock next to their name.
- If you have a server that doesn’t support secure connections, then you’ll see it listed with a note that it can’t be reached securely.
- In such a case, if you choose to follow the Click here link, then the browser will reload using a regular HTTP connection, but your communication with those particular servers will not be secure.
Connecting via HTTP
If you connect to Plex Web App via regular HTTP (e.g. http://app.plex.tv/desktop), then some communication may not be secure.
- For servers that support secure connections, they’ll be listed with a green lock next to their name and communication with that particular server will be secure.
- Communication to servers without the green lock next to their name will not be secure.
- When Plex Web App is loaded via HTTP, secure connections will be first attempted, but if they’re not available or fail, then the app will fall back to regular HTTP connections. The presence/absence of the green lock next to the server name will tell you the current status.
Tip!: If for some reason you wish to force a regular HTTP connection to Plex Web App, you can load the app via http://app.plex.tv/desktop?secure=0.
Using the Bundled Plex Web App
By default, the local, bundled version of Plex Web App will load over HTTP. Just like above, if individual servers support secure connections and are listed with a green lock, then communication with those particular severs will be secure.
You can, of course, attempt to force an HTTPS connection simply by using
https:// in the URL. If you do so, since the server’s certificate isn’t for “localhost” (for example), your browser will almost certainly warn you that there isn’t a valid certificate for that connection.
You can make an exception there if you wish, but you won’t see the green lock in the address bar as you would if using the standard hosted web app securely. If you wish to see the green lock in the address bar, you’ll want to connect as described earlier.
What About Via IP or My Own Domain?
Some users may be used to accessing their server’s bundled Plex Web App through something like http://public.wan.ip.address:32400/web or http://mycustomredirecteddomain.com:32400/web when away from home. If you just switch to using
https:// in the URL, you’re going to see the same sort of behavior as described above for ‘Using the Bundled Plex Web App”. The certificate that’s been issued to your server isn’t signed for your IP address or your custom domain, so it won’t report itself as valid for those.
Instead, simply launch the app through plex.tv/web as described earlier so that you can take advantage of the secure connections as intended.
Why Isn’t It Working?
In rare cases, your apps still may not be able to connect securely with your Plex Media Server. In nearly all cases, this will be caused by issues with your router/modem or network. It also isn’t currently possible to connect with a “mobile server” from one of your mobile apps securely.
If you enable the “mobile server” in a mobile app such as Android, iOS, Windows 8.1, or Windows Phone, it isn’t currently possible to connect with those securely. This means that connections to those mobile servers will be insecure.
If you wish to allow mobile servers to be included in the list for the Plex Web App, you can force accessing the app itself insecurely as noted earlier. To do so, access the web app using the http://app.plex.tv/desktop?secure=0 URL.
Some routers or modems have a feature known as “DNS rebinding protection”, some implementations of which can prevent an app from being able to connect to a Plex Media Server securely on the local network. For most users, this won’t be an issue, but some users of higher-end routers (or those provided by some ISPs) may run into problems.
Similarly, some DNS providers (including some ISPs) may have this feature.
DNS rebinding protection is meant as a security feature, to protect insecurely-designed devices on the local network against attacks. It provides no benefit for devices that are designed and configured correctly.
In some cases, your ISP itself may provide rebinding protection when using their DNS services. In this case, you can switch to using a different DNS service. Depending on your personal setup, you may need to update either your router’s configuration, the configuration on your computer(s), or both.
There are many free and easy-to-use alternative DNS services. Some of the more popular:
We can’t provide instructions for all possible configurations, but the most common scenarios for this issue include using “dnsmasq” (often on DD-WRT based routers), and using pfSense. You may need to consult your router’s documentation for more details about DNS rebinding protection.
To allow secure connections to work correctly on the local network if you are using “dnsmasq” with DNS rebinding protection enabled, you will need to add the following line to your configuration file (the “advanced settings” box in DD-WRT):
Related Page: Manpage for Dnsmasq
pfSense DNS Resolver
Similarly, if you are using pfSense’s internal DNS resolver service, you’ll want to adjust that configuration. In the pfSense web UI, go to Services > DNS Resolver, click Display Custom Options, and enter the following the the text box:
server: private-domain: "plex.direct"
Related Page: pfSense: DNS Rebinding Protections
Remote Access Workaround
In some cases, it may be possible to work around DNS rebinding protection by enabling Remote Access for your server. When enabled, this allows connections to be made via your public/WAN address. In most cases, your router will automatically keep such connections within your LAN, though this isn’t universal across all routers.
Warning: When working around DNS rebinding protection this way, your apps and Plex Media Server will typically treat the connections as being from a “Remote” source. This can affect which streaming qualities are used, as well as trigger Remote-applicable Server Settings - Bandwidth and Transcoding Limits.
Related Page: Troubleshooting Remote Access