Improve URL Privacy

Please consider making Sonarr hide the content that is being browsed in the URL. After the hostname/port, Sonarr doesn’t try to hide or id-map anything,

Today, even with HTTPS it is possible to proxy server or ISP to watch urls and understand clearly everything that is being used when you connect from Internet. Even our bosses can follow what are you doing :-))

Activating HTTPS ensures that the data content is secured. OK very good.
But writing info inside URL is a form of breaking user’s privacy.

Example of softwares that hide it very well today: CouchPotato, Emby…

Thanks

Not sure what you mean, anything in the URL path is available, but query parameters (following the ?) is hidden when using HTTPS (as are the headers).

Actually CP exposes the API key in the URL, giving you full access to CP if you see the URL.

We have no plans to change the URLs that are used.

Wow I haven’t noticed the API problem. But without the password, it’s kinda useless, right?

What I’m telling about is: when you browse inside a show in Sonnar, an example of url that appears exactly: https://server_external_address:port/series/breaking-bad

I’m using a reverse proxy to intermediate all HTTPS from external access and allowing http from internal only (and from the proxy). So this should be secure enough.

If you are that worried about privacy you should be using a VPN and not accessing sonnar remotely like that,

With some work I will surely find a way so my reverse proxy hides internally these parameters.

I was only giving suggestions to help general public and improve the app.

Never… mind.

I think that the choice between privacy and user-friendliness is very dependent on the user, and don’t think most users care that much,

most users probably care more about a friendlier, nicer looking URL than a cryptic one, take a look at pretty much any side, forums or discussion group and you’ll see most put the title in the URL.

Thats the point of the API key, it gives access without requiring a password. For Sonarr the API is used for everything done in the UI, so gaining access would give you limitless power (unless it was reset), I can’t say for certain that CP has the same power with just the API key, but I wouldn’t be surprised if it did.

@anderbytes What in the name of sanity are you talking about?

  1. Utterly and totally wrong, https encrypts all data… url, header and content, only thing it doesn’t encrypt is domain name that gets resolved through the dns system. Also, any https-busting proxy that can read the url can read the content as well. (Easily protected against by using the right root-certificates to prevent https man-in-the-middle attacks)

  2. You should stop visiting Sonarr from work, at least I’m assuming that’s what we’re talking about coz that’s the only place where an unwanted third part could check the url (in your browser history).
    If you still want to do that, use https in a incognito window coz your boss might be checking your browser history.
    Also check for any vnc-like software, coz he might be watching.
    … he standing behind me, isn’t he?

  3. Adding human readable bits of information (called ‘slugs’ btw) in the url is actually pretty standard for fluent sites. Look at reddit, tvmaze, trakt.tv and plenty of the news sites.

2 Likes

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.