alt Hacker NewsThat's no different from how just about any other webapp works.
"Bothering" with client-side password hashing, in the absence of TLS, is security theater. It provides only the most trivial protection against eavesdroppers.
If someone can steal an unhashed password, then they can also steal whatever hash you send instead. If you try to fix this with some kind of ad-hoc challenge-response protocol, then the attacker can just steal your session cookie after login.
There shouldn't even be a question of using insecure HTTP for anything that requires authentication.
> "Bothering" with client-side password hashing, in the absence of TLS, is security theater.
Filtering out unsophisticated attackers I would not classify as "theater".
Read this, and let me know if the implications of port forwarding your server (or putting it on IP6) is readily apparent:
https://jellyfin.org/docs/general/post-install/networking/#s...
A lot of these users are not very sophisticated themselves. The least sophisticated attackers are likely to be the most numerous.
This is bad. People who say it's not bad (or worse, suggesting anyone dumb enough to publicly expose their server without TLS) are engaging in security snobbery.