2022-01-04, 12:56
Hi all,
from reading this text on the kodi.tv site, I'm unsure how "secure" the usage of Kore actually is:
https://kodi.tv/article/kodi-remote-acce...endations/
I'm using KORE on my android phone and OSMC / Kodi on a raspberry Pi 3b. It works flawlessley.
But with some quotes of the linked page, I have some questions:
"Do not use the Kodi web server without setting a reasonably-secure password."
- I set a password for the HTTP webserver, so this should be okay
"Do not expose any Kodi external interface (web server, JSON-RPC, event server ...) directly to the Internet."
- I would assume that in normal router configurations without opening ports etc. this should be default so also no issue, correct?
- Or what is meant by "expose directly to the internet". The RaspberryPi has internet access, but I did not open any ports within router configuration
"Do not enable any external interface in Kodi that you don't actually use. This is especially true for the JSON-RPC service when exposed on all interfaces."
- The help of KORE lets us enable both checkboxes "Allow remote control from applications on this system"&"Allow remote control from applications on other systems"
- but the help of Kodi says we should not do this...
"This is why you should never run the web server without authentication. It allows anyone with access to the server port to completely control your box. Even if you do not expose the web server to the Internet, other machines including your PC or laptop can do this. This is possible from a standard web browser (via JavaScript), so you might visit a malicious web page that does this in the background and not even realise that it's happening."
"Also, keep in mind that neither JSON-RPC over TCP nor EventServer (enabled with the "Allow remote control from applications" setting in Kodi) offer any authentication, so they should usually be restricted to access solely from the box on which Kodi is running ("Allow remote control from applications on this system")."
So what does this all mean? Is activating KORE a security risk by design?
from reading this text on the kodi.tv site, I'm unsure how "secure" the usage of Kore actually is:
https://kodi.tv/article/kodi-remote-acce...endations/
I'm using KORE on my android phone and OSMC / Kodi on a raspberry Pi 3b. It works flawlessley.
But with some quotes of the linked page, I have some questions:
"Do not use the Kodi web server without setting a reasonably-secure password."
- I set a password for the HTTP webserver, so this should be okay
"Do not expose any Kodi external interface (web server, JSON-RPC, event server ...) directly to the Internet."
- I would assume that in normal router configurations without opening ports etc. this should be default so also no issue, correct?
- Or what is meant by "expose directly to the internet". The RaspberryPi has internet access, but I did not open any ports within router configuration
"Do not enable any external interface in Kodi that you don't actually use. This is especially true for the JSON-RPC service when exposed on all interfaces."
- The help of KORE lets us enable both checkboxes "Allow remote control from applications on this system"&"Allow remote control from applications on other systems"
- but the help of Kodi says we should not do this...
"This is why you should never run the web server without authentication. It allows anyone with access to the server port to completely control your box. Even if you do not expose the web server to the Internet, other machines including your PC or laptop can do this. This is possible from a standard web browser (via JavaScript), so you might visit a malicious web page that does this in the background and not even realise that it's happening."
"Also, keep in mind that neither JSON-RPC over TCP nor EventServer (enabled with the "Allow remote control from applications" setting in Kodi) offer any authentication, so they should usually be restricted to access solely from the box on which Kodi is running ("Allow remote control from applications on this system")."
So what does this all mean? Is activating KORE a security risk by design?