Nibodhika

Ook

I mean, yes, but there are ways around it. Windows could have a public key embebed somewhere and the private counterpart gives access, the command could depend on the time it's received, so it's never the same and without the private key it's impossible to reproduce, and the Killswitch could be non-instantaneous, combine all of that and you have a Killswitch that:

• It's very hard for you to realize something happened, because by the time it happens the trigger is lost in a sea of other requests
• Even if you were to fine comb through all of that and spot it, it's encrypted
• Even if you were to resend it it would do nothing, because the time has changed
• Even if you managed to find the public key and decrypt it the actual content could be inocuos, like a random looking string
• As long as the private key is secure enough it would be impossible to crack
• Even if you somehow managed to crack it and send anything you want to the PC you don't know the protocol to generate the random strings and you only have the one example of the message (which no longer works)
• Even if several people did this the content could truly be random (in the common sense of the word, i.e. pseudo-random), since Microsoft controls the RNG on Windows they can use that to ensure that random data gets generated equally

And I'm not even a cryptographer, people who come up with new encryption protocols can surely do a lot better than my naive example above which would make it almost impossible for someone to figure out.

No need to apologize, it's a weird choice from Plex, I would have never guessed that this is how it works if I hadn't suffered outages myself, and I'm amazed that not many people call them out on this, it seems completely against what most self-hosting people are looking for, but they seem to defend Plex with teeth and nails.

First of all I agree with most of your a, b and c points, just would like to point out that while it's true that Docker containers provide an extra level of security they're not as closed down as people sometimes believe, but as a general rule I agree with everything you said.

But you're wrong about the way Plex works, this is a quote from their documentation:

So, your Plex Media Server basically “relays” the media stream through our server so that your app can access it since the app can’t connect with your server directly.

If that's not clear enough:

Your security and privacy is important to us. When you have enabled secure connections on your Plex Media Server, then your streaming will continue to be secure and encrypted even when using our Relay feature. (When using secure connections, the content is encrypted end-to-end and tunneled through our Relay. The connection is not terminated on our servers and only your Plex Media Server has the certificate.)

So it's very clear data is streaming through their relay server, which goes back to my original point of I expect that to be a paid feature, it's using bandwidth from their relay servers.

As for the security again you're wrong, authentication happens on the Plex remote server, not on your local one, which is why you can't use Plex without internet (part of my dislike for them). So you connect to Plex remote server and authenticate there, you then get a client that's talking to the remote server, even if someone was able to bypass that login they would be inside a Plex owned server, not yours, they would need to then exploit whatever API exists between your home server and that one to jump to your machine, so it's an extra jump needed, again similarly to having Authelia/Authentik in front of Jellyfin.

You are, authentication on the VPS, you're relying on Jellyfin authentication against the internet. Correct me if I'm wrong, but this is your suggested setup: [home server] Jellyfin -> [remote server] Reverse Proxy -> [remote machine] users. Let's imagine a scenario where Jellyfin has a bug that if you leave the password empty it logs you in (I know, it's an exaggeration but just for the sake of argument, an SQL injection or other similar attacks would be more plausible but I'm trying to keep things simple), on your setup now anyone can log into your Jellyfin and from there it's one jump to your home server. On Plex's solution even if Plex authentication gets compromised the attacker only got access to the remote server, and would now need to find another vulnerability to jump to your Plex at home.

Putting something like Authelia/Authentik on a VPS in front of Jellyfin is a similar approach, but the Jellyfin client can't handle third party authentication AFAIK

For remote streaming they do, here are their docs on it https://support.plex.tv/articles/216766168-accessing-a-server-through-relay/

From that documentation:

So, your Plex Media Server basically “relays” the media stream through our server so that your app can access it since the app can’t connect with your server directly.

No, the article only mentions the feature by name, the docs for the feature mentions the relay https://support.plex.tv/articles/216766168-accessing-a-server-through-relay/

Using a relay server to separate online from home connection

It's not, not directly at least, and that's what everyone is ignoring here. You probably understand the value on Authelia/Authentik but you're failing to see that the Plex relay server is taking that same mantle here, so even if someone managed to compromise the relay server it's still not on your home server, whereas exposing jellyfin directly to the internet only requires one service to be compromised.

In some way is different from directly, on Plex you're behind a relay server so it's akin to being behind a VPS running Authentik/Authelia in front of the service on your home. Compromising the relay server does not necessarily compromises your home server, so it's not direct like putting Jellyfin on a reverse Proxy would be.

That exposes Jellyfin to the internet

That exposes Jellyfin to the internet, so it's not the same feature