vod security roundup - secure VOD to Desktops

[rrlanham]

I'm not sure how else to explain rtmp vs rtmpe. They are different though related protocols. rtmpe is encrypted. You just add the "e" to use it.

SecureToken + RTMPE is pretty good security, but it can be defeated. Most security features can be defeated. It's hard to show a video to someone on their computer and make it impossible for them to save it.

Richard

[susta004]

what do people mean when they say "but anyone can just take out the "e" and its now not secure" ? i have heard this in several places and dont understand it

By default, yes. But in your application.xml, with the MediaSecurity plugin, you can require RTMPE connections and block RTMP ones:

http://www.wowza.com/forums/showthre...low-only-RTMPE
http://www.wowza.com/forums/content.php?115

As for the Ajax example, I realize now that you would want to secure your Ajax call anyway, so it would be rather redundant to use it AND then use my Wowza security method above. If you've got a database of users and/or sessions, just send that user/session ID as the flashvar instead of my timestamp/signature thing and check/verify that ID in Wowza. Wowza modules are just compiled Java code, and Java can connect to a database just as well as any other language.

However, you don't want to spend too much time focused on security -- all it takes is one user with screen recording software and you've been defeated anyway!

[bobmane]

im just asking if alterations have been made, all I have is version 2 pdf

[rrlanham]

I don't think so. The MediaSecurity addon has not changed since switching from ModuleSecureURLParams to ModuleRTMPAuthenticate for publish security.

Richard

[bobmane]

you don't want to spend too much time focused on security

yes but might as well give a best effort. less holes > easier to monitor and track.

[bobmane]

UPDATE: in case anyone followed this,

after host turned it on

changing

streamer: 'rtmp://stream.s15.cpanelservices.com/my/',
provider: 'rtmp'

to

streamer: 'rtmpe://stream.s15.cpanelservices.com/my/',
provider: 'rtmpe'

did create rtmpe streams

[bobmane]

As for the Ajax example, I realize now that you would want to secure your Ajax call anyway, so it would be rather redundant to use it AND then use my Wowza security method above. If you've got a database of users and/or sessions, just send that user/session ID as the flashvar instead of my timestamp/signature thing and check/verify that ID in Wowza. Wowza modules are just compiled Java code, and Java can connect to a database just as well as any other language.

OK so by now I have done a bunch of research + by now its clear --- its pretty darn simple to config wowza.

but wowza devs i have talked to basically tell me "you have to do the php part yourself" - and that's the part that i need help on

so i want to do the php

so is this true:

what i have now:

SecureToken (but in this case SecureToken only with a password inside swf)
+
RTMPE

is decent but offers no dynamic functions between wowza server and my webserver

but....

using php, the same:

SecureToken

could be extended by:

having php/db talk to wowza (user/session ID) ??

so:

3) In this method, there is nothing secret or special stored in the SWF (or the JavaScript, for that matter). The JW Player edit and recompile just allowed the extra flashvars to be passed from the embed code to Wowza. The secret code is only stored in the server-side PHP code and the server-side Wowza module.

1) is taking secret code from swf and putting it in php instead
2) using php, other variables can be passed along with the secret
3) on wowza end, its still called SecureToken and nothing more?
4) or SecureToken in the case of the php stuff has nothing to do with and is ModuleRTMPAuthenticate