How plex is doing HTTPS for all its users

Oct 20, 2023

Interesting dive into how Plex is creating certs for every plex server

This way when a server first starts it asks for its wildcard certificate to be issued (which happened almost instantly for me) and then the client, instead of connecting to, connects to which resolves to the same IP, but with a domain name that matches the certificate that the server (and only that server, because of the hash) holds.

found via this tweet

The end of DNS rebinding is nigh! With a bit of luck and some time, maybe it will also mean DNS resolvers can stop breaking public domains that resolve to internal addresses, making more viable!

The point about this in his article is:

P.S.: I finally figured out why they advise you might need to turn off DNS rebinding protections: a domain like which resolves to a local IP (that they use when you want to connect to a server on your LAN while still using the HTTPS web app) is exactly what a rebinding attack needs to access vulnerable services behind your firewall. See for example this post by Michele Spagnuolo.

↑ up