[vlc-devel] [PATCH 9/9] lua: http: Announce the web interface over mdns
Rémi Denis-Courmont
remi at remlab.net
Fri Sep 4 16:47:26 CEST 2020
Hi,
Le torstaina 3. syyskuuta 2020, 12.59.06 EEST Alexandre Janniaux a écrit :
> I agree that it must not be exposed (even on local network)
> until HTTP is a bit more secure,
"HTTP" is not getting "a bit more secure".
We can define a secure remote control interface, with user-friendly pairing and
what-not, for VLC remote control applications to use. Then we can advertise on
the local network it for autodetection. I would be tempted to use CoAP rather
than HTTP, but we can stick to HTTP or do both.
However, that would not be "HTTP" in the sense that it would not be a (secure)
web site that can be readily opened in a web browser, even if the application
layer could still be HTTP. In other words, the remote control interface would
no longer be confounded with the AJAX backend of the web interface.
> but it is probably ok if
> disabled by default and enabled through an option.
Bad Idea™.
I think it's a miracle that we've gotten so little negative press about the
HTTP interface. Adding network advertisement is like painting a cross aim over
it for infosec folks.
--
Rémi Denis-Courmont
http://www.remlab.net/
More information about the vlc-devel
mailing list