<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">
TBR,
<div class=""><br class="">
</div>
<div class="">Thanks for the clarification. Where can I read more about security - related to http(s), online streaming and websites? Where do I start?
<div class=""><br class="">
</div>
<div class="">In the past I’ve seen the anything but 80 and 443 blocking thing, especially in government offices. Haven’t experienced those complaints in while, but it is a good suggestion! I assume I can add the ports in the icecast.xml, open them in the various
places (computer/dns), and be ok? No need to answer, I’ll look it up! I’m running on Centos 7. </div>
<div class=""><br class="">
<div class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">
<div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;">
Patricia Moynihan<br class="">
Director of Digital<br class="">
<br class="">
<a href="mailto:pmoynihan@fsu.edu" class="">pmoynihan@fsu.edu</a><br class="">
850-645-6067<br class="">
850-645-7200</div>
</div>
</div>
</div>
</div>
<div><br class="">
<blockquote type="cite" class="">
<div class="">On May 10, 2019, at 1:29 PM, Thomas B. Rücker <<a href="mailto:thomas@ruecker.fi" class="">thomas@ruecker.fi</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div class="">Hi Patricia,<br class="">
<br class="">
On 5/10/19 2:48 PM, Patricia Moynihan wrote:<br class="">
<blockquote type="cite" class="">Yes I meant HTTPS over HTTP, which yes, I’m differentiating by those<br class="">
port numbers. Thanks for clarifying! We have been streaming HTTP for a<br class="">
long time, but I am at a university and there is a lot of emphasis on<br class="">
security. I was never really sure what the certificate did for us in<br class="">
this case…but was attempting to comply! <br class="">
</blockquote>
<br class="">
<br class="">
For you there is no direct security benefit. It does 'comply' with<br class="">
'tickbox-security' though and gets you the 'security people' off your<br class="">
neck. Achievement unlocked!<br class="">
<br class="">
side note: you don't seem to be running any service on port 80 nor 443.<br class="">
Consider adding those to your Icecast configuration to increase your<br class="">
client compatibility, especially in terms of Browsers and "corporate<br class="">
networks that block everything that's not on port 80 or 443 for<br class="">
'security' reasons". If your server runs Debian or Ubuntu, this will be<br class="">
a bit more involved, but still fairly easy (there are descriptions found<br class="">
e.g. in the list archive)<br class="">
<br class="">
<br class="">
<br class="">
<blockquote type="cite" class="">Over the years we have had a small handful of IPs trying to<br class="">
maliciously access our Icecast server over port 8000. I guess the less<br class="">
of that I have to deal with, the better. But if there are streaming<br class="">
aggregators out there who can’t use the HTTPS over the HTTP, then it<br class="">
may be better to deal with the inconvenience once in a while.<br class="">
</blockquote>
<br class="">
<br class="">
I'm sorry, but as an information security professional I MUST<br class="">
disillusion you on this.<br class="">
<br class="">
Adding HTTPS does absolutely ZERO for the security of your Icecast<br class="">
server, *especially* in terms of "IPs trying to maliciously access" it.<br class="">
This ties into the "threat model" I mentioned. (The only exception would<br class="">
be legitimate source client connections from the Internet and I strongly<br class="">
suspect that not to be the case here)<br class="">
<br class="">
The only thing that you could call a security improvement is on the<br class="">
client side. It is no longer trivial to intercept data sent by the<br class="">
server to and from the client, including which resource (stream) is<br class="">
being accessed.<br class="">
<br class="">
Security is a complex topic and there are many areas and details and<br class="">
things tend to turn upside down depending on what your priorities<br class="">
(threat model) are.<br class="">
<br class="">
<br class="">
TBR<br class="">
<br class="">
<br class="">
<blockquote type="cite" class="">Thanks for your help. <br class="">
<br class="">
Patricia Moynihan<br class="">
Director of Digital<br class="">
<br class="">
<a href="mailto:pmoynihan@fsu.edu" class="">pmoynihan@fsu.edu</a> <<a href="mailto:pmoynihan@fsu.edu" class="">mailto:pmoynihan@fsu.edu</a>><br class="">
850-645-6067<br class="">
850-645-7200<br class="">
<br class="">
<blockquote type="cite" class="">On May 10, 2019, at 4:04 AM, Thomas B. Rücker <<a href="mailto:thomas@ruecker.fi" class="">thomas@ruecker.fi</a><br class="">
<<a href="mailto:thomas@ruecker.fi" class="">mailto:thomas@ruecker.fi</a>>> wrote:<br class="">
<br class="">
Hi,<br class="">
<br class="">
On 5/10/19 3:11 AM, Patricia Moynihan wrote:<br class="">
<blockquote type="cite" class="">Are there any serious security risks for leaving port 8000 open to<br class="">
public use on icecast? I had wanted to limit to 8443 but it seems some<br class="">
radio devices cannot support this protocol.<br class="">
</blockquote>
<br class="">
<br class="">
The port number doesn't matter. I guess in your case you mean HTTP vs<br class="">
HTTPS.<br class="">
<br class="">
The proper and terse answer is:<br class="">
<br class="">
It doesn't matter if you use HTTP or HTTPS as long as you have a secure<br class="">
configuration including managed and strong (not bruteforceable)<br class="">
passwords AND you keep your Icecast server up to date wrt security<br class="">
updates (currently Version 2.4.4).<br class="">
<br class="">
From my anecdotal knowledge gained over 18 years of involvement in<br class="">
Icecast, if people would follow the above two, then 99,9% of incidents<br class="">
would not happen.<br class="">
<br class="">
The longer answer is that it will also depend on your 'threat model' and<br class="">
how you rate and address things that you consider 'risks' in this frame<br class="">
of reference. There is no one-fits-all or immediate answer that fits<br class="">
into this email.<br class="">
<br class="">
<br class="">
Hope this helps,<br class="">
<br class="">
Thomas<br class="">
<br class="">
<br class="">
_______________________________________________<br class="">
Icecast mailing list<br class="">
<a href="mailto:Icecast@xiph.org" class="">Icecast@xiph.org</a> <<a href="mailto:Icecast@xiph.org" class="">mailto:Icecast@xiph.org</a>><br class="">
<a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.xiph.org_mailman_listinfo_icecast&d=DwIGaQ&c=HPMtquzZjKY31rtkyGRFnQ&r=il3mbeSthlxEJd_b1NtmGe2biSOKp7VwqcXPdl2MdRc&m=X3zh6M4zoa3mkJwmMiZz1f54FZWn_anDeugwt91Y9Uw&s=PddWQ35fNEeUXAPZc9z2OIcjlDRy3lSx_2XgODSskyM&e=" class="">https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.xiph.org_mailman_listinfo_icecast&d=DwIGaQ&c=HPMtquzZjKY31rtkyGRFnQ&r=il3mbeSthlxEJd_b1NtmGe2biSOKp7VwqcXPdl2MdRc&m=X3zh6M4zoa3mkJwmMiZz1f54FZWn_anDeugwt91Y9Uw&s=PddWQ35fNEeUXAPZc9z2OIcjlDRy3lSx_2XgODSskyM&e=</a><br class="">
</blockquote>
<br class="">
<br class="">
_______________________________________________<br class="">
Icecast mailing list<br class="">
<a href="mailto:Icecast@xiph.org" class="">Icecast@xiph.org</a><br class="">
https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.xiph.org_mailman_listinfo_icecast&d=DwIGaQ&c=HPMtquzZjKY31rtkyGRFnQ&r=il3mbeSthlxEJd_b1NtmGe2biSOKp7VwqcXPdl2MdRc&m=OD-PDzRTQcORzIDkfdfm9ZArtiOmESX8sYcnDnJyJuw&s=-vGj3IVe8I7JCpXxfhkMRgsyItHncb8nWnWA2Fz5p1U&e=<br class="">
</blockquote>
<br class="">
_______________________________________________<br class="">
Icecast mailing list<br class="">
<a href="mailto:Icecast@xiph.org" class="">Icecast@xiph.org</a><br class="">
https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.xiph.org_mailman_listinfo_icecast&d=DwIGaQ&c=HPMtquzZjKY31rtkyGRFnQ&r=il3mbeSthlxEJd_b1NtmGe2biSOKp7VwqcXPdl2MdRc&m=OD-PDzRTQcORzIDkfdfm9ZArtiOmESX8sYcnDnJyJuw&s=-vGj3IVe8I7JCpXxfhkMRgsyItHncb8nWnWA2Fz5p1U&e=<br class="">
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</body>
</html>