I asked for this information in some other thread a few weeks ago. Nice to see a bit of it here.
Can you tell me which credential is used to authenticate the ARC client? How is it entered?
It’s of concern because if I want to give someone access to my core via ARC, do I reveal my roon account login/password to them, my forum login/password, or something entirely different? And aside from the human vulnerabilities and compromising my account, how can it be leaked or snooped by other agents?
What secures the traffic between the core and the ARC client? If the protocol or traffic was compromised, could anybody enumerate my music collection or, say, mess up the metadata?
Your Roon username (email you used to sign up) and the password for your Roon account.
Yes, you would reveal your Roon account login/password. Don’t share your Roon account login/password. Your Roon account login/password is your entire Roon identity, which includes this forum.
Have you used ARC? You type it in.
Malicious software that infects your apps or operating system, etc… the normal stuff.
TLS is used for encryption, and the Roon software verifies your identity via an intermediary server on our end.
The “secure protocol” only prevents snooping on a wire. A TLS compromise would allow an attacker to snoop on your traffic if an attacker had infected your device running ARC or the Roon Core.
There are no fundamental weaknesses in TLS 1.2 yes it is cryptographically less robust than 1.3 but nothing that is substantially flawed for normal users. It is still an approved transport encryption for US Government including FedRAMP so good enough for me.
TLS versions less than 1.2 (and all SSL versions) however are a different matter, they have substantial problems.
it wasn’t always that way… in early 2015, we had different logins for Roon app + website and for the community forums… It was our top support issue by a long shot – people couldn’t figure out why they weren’t the same!
So while I can’t take credit for getting that design choice correct from the start, I am happy it was a problem we resolved back in October 2015:
I don’t think I have the ability to disable UPnP in my router, I would have to go through my service provider. What gives me pause is the message I get from my provider’s security app:
“A high risk source tried to access Nucelus. Advanced security has blocked 1 of these security risks this week.”
Maybe that’s a good thing that my security prevented it? I don’t know, but I do know I never got those alerts before upgrading to 2.0 and now I get them regularly. Or, rather, got them regularly. My Nucleus is for sale and I have deleted Roon. I won’t even go back to my MacBook as the core. I think it’s incredible arrogance on the part of Roon to assume all of their users would be going ape over a feature like Arc. I purchased a lifetime subscription when they were first offered, but I’m done with Roon.
Apple Music, Naim app, and Tidal Connect. I’m served well at home and abroad!
Interesting. I recently deleted the ARC app and changed the port setting in Roon to 0 (zero). I just checked it, and sure enough Roon changed it to something else. So it appears setting the port to zero isn’t a workable solution.
Edit: I tried setting the port to zero again, and it will not stick.
When you exit settings, say to albums view, and then go back in to settings… then 0 is displayed.
However, exiting the Roon remote (in my case an iPad) and then going back … I can see that port 55xxx is suggested.
However, look at the top section of the screen (as highlighted in red by me), Roon is still reporting that ARC can not connect and tapping the re-test icon confirms it still can not connect.
