thelittleblackbird
???
This is not about enshitification. The best user friendly app can be a security nightmare and an utterly crap can be rock solid.
It is not about that, not even development models or just rock star programmers.
It is about who has a performing security team and who doesn't.
Well, when I was talking about not techie people I didn't mean technology analphabets, everybody can open a port in your consumer router with the help of chatgpt, not everybodies is able to realizes they need a reverse proxy with tls and modify the headers for the Auth....
Being secure in internet is like the herd inmunity for corona times, your system could be fairly secure, but if you are hammered with several bot nets it is going to be a challenge, and there is responsabiity is shipping a product that is easy to be infected.
And your third paragraph really confirms why this post is necessary
Jellyfinn has a nice record of problems during the authentication and escalating privileges, even the developer team recommends to use it behind a vpn and don't expose it to internet.
If course, you can use a reverse proxy with and external Auth framework to mitigate it, pair it with fail2ban, geo restrictions and a second factor, but those things are not in the scope of the regular user.
Let's face reality, plex is not such widespread for being the default option in kali Linux....
Sometimes your data is not important but your computer, nobody wants to be in a netbot.
Well, perhaps plex is not better in security (we don't know for sure) but at least they have a cyber team, a monitoring system and in every bodies hope, dedicated developers for these topics.
Jellyfinn dies not hve a team like this one per se. Could the developers be better fit and knowledged in jellyfinn than plex? Perhaps, but probably the focus is in the features and not in the security
But they are responsible for the unsecured / gruyere cheese product they ship.
Jellyfinn has a lot of holes and it is easy to deploy it in a insecure way by not techie people. Last time I checked they even didn't have a recommended practices for hardening it
Good to read you know how to implement some protection layers around your jellyfinn :)
But most of the people (specially the plex ones) don't have the technical background to deploy something like you have, and convince those people to do the switch without knowing how to protect themselves is not a wise thing to do. Specially when this time, plex response was perfectly fine :)
Y hope you know how to harden jellyfinn, because they are not better than plex team....
If they don't have a team, they don't regularly look, if they dont look, they don't report, if they don't report your analysis maybe biased because you can only check about what you know....
I hope you can see my point