TLS for VLC web interface
Apologies if this is already in the enhancements pool - I searched several ways and did not see it.
The VLC web interface does not seem to allow any meaningful form of security - that is, anything that can reach the host on which VLC is running can try to connect, and anything which can sniff on that network can trivially decode the base64 encoded password. As the remote interface by default allows browsing the whole file system, this seems like quite a large security vulnerability.
This enhancement request treats two areas:
-
By default, lock down what may be browsed through the web (And, really, all remote) interface(s) to a media-content-only directory, by default a new place which systems will NOT have, so that by default when any remote features are enabled NO content is effectively shared. e.g. {Windows} %USERPROFILE%\Videos\VLC\
-
Add SSL/TLS - preferably compatible with https://letsencrypt.org or something similar - to provide some degree of security for the web (and, again, really, all remote) interface(s) offered by VLC.
This is a dangerous world. VLC is widely used. The web/remote interfaces are great features from a usability and user perspective, which means they're very likely to be the subject of attack.