1. Dear visitor, you are viewing Rapid IPTV as a guest member who has restricted access to our forum. You can either sign-up or login with your username here: http://www.rapidiptv.com/login/

https

Discussion in 'Feedback & Suggestions' started by Mercado, Sep 22, 2016.

Watchers:
This thread is being watched by 2 users.
  1. Mercado

    Mercado Reseller Reseller

    80%
    Joined:
    Sep 5, 2016
    Messages:
    30
    Likes Received:
    12
    Liked:
    11
    Trophy Points:
    8
    Gender:
    Male
    Home Page:
    Device:
    Android boxes of all makes and models
    Reseller Username:
    tvclub
    Suggestion: why are the links generated for m3u not https to avoid them going around with passwords in cleartext?
    SSL certificates are so cheap nowadays....

    https://clientportal.link:8080 would be a nice way to avoid this type of connections being snooped and someone stealing our accounts....

    Thoughts?

    EDIT: now that I think about it... the password is always going to be in cleartext anyways as it's a GET request... so I guess I answered my own question...
     
  2. Swift IPTV

    Swift IPTV Reseller Reseller

    45%
    Joined:
    Aug 1, 2016
    Messages:
    180
    Likes Received:
    50
    Liked:
    61
    Trophy Points:
    28
    Gender:
    Male
    Home Page:
    Device:
    Kodi / Android / MAG
    Reseller Username:
    swiftiptv
    I was just about to post about the way the script works so well done for spotting that it's a GET request and not a POST request.

    SSL is not a bad idea - Cloudflare offer free flexible SSL so it doesn't even have to cost money. I use it myself and it works quite well.

    However, I can't think of any reasons and/or benefits to serving the m3u download URL over https vs normal http (other than a pretty little padlock icon in the address bar). PHP, as you know, will only execute server side and no credentials really hit the server anyway. The download script just processes a m3u file with all the links and just changes the username and password variables to suit based on user entry.

    Open to thoughts on this though!

    Edit: I suppose one of the ways the download link could be made secure would be with token expiring unique URLs (that expire after 1-3 requests or after 24 hours etc). I can see it causing a few issues for people that want to dynamically update their playlist via online apps though...
     
    Last edited: Sep 22, 2016
    Mercado likes this.
  3. Mercado

    Mercado Reseller Reseller

    80%
    Joined:
    Sep 5, 2016
    Messages:
    30
    Likes Received:
    12
    Liked:
    11
    Trophy Points:
    8
    Gender:
    Male
    Home Page:
    Device:
    Android boxes of all makes and models
    Reseller Username:
    tvclub
    It's not about the padlocks, it's more about finding a way to avoid passwords being sent over the internet in cleartext (by our boxes in this case) that can be intercepted and abused.

    For bandwidth and performance reasons I see no point in sending the content from the streaming servers to our boxes via any https connection...
     
    Swift IPTV likes this.
  4. Swift IPTV

    Swift IPTV Reseller Reseller

    45%
    Joined:
    Aug 1, 2016
    Messages:
    180
    Likes Received:
    50
    Liked:
    61
    Trophy Points:
    28
    Gender:
    Male
    Home Page:
    Device:
    Kodi / Android / MAG
    Reseller Username:
    swiftiptv
    I didn't think of that - I know some users just use their download URL as their source so you're correct - Can be snooped and because it is a GET request, it's logged somewhere. My mistake! :)
     
    Mercado likes this.
  5. Mercado

    Mercado Reseller Reseller

    80%
    Joined:
    Sep 5, 2016
    Messages:
    30
    Likes Received:
    12
    Liked:
    11
    Trophy Points:
    8
    Gender:
    Male
    Home Page:
    Device:
    Android boxes of all makes and models
    Reseller Username:
    tvclub
    Yes! If there was a way to request a m3u file from some kind of API running https that'd be great! I'm dynamically generating m3u lists so users can sort their channels themselves and am looking for ways to get this whole process secure...
    Open for all suggestions!
     

Share This Page

Loading...