Protecting VOD

[pietjuh1]

What is the most efficient way to setup security to prevent my VOD streams from ripping?
My current setup.
Streams are called from JW player running in an application which requires username and password.
Wowza is setup with with SecureToken an requiresecureconnection modules.
Setup allowed domains.

Still using the latest RTMPdump I can rip my stream when i know the securetoken, which i think can be found by decompiling the swf? I know of SWF obfuscators, which we can build ourselves I think, and the commercial ones are quite expensive.
Is there anything more i can do to protect?

[rrlanham]

You should also use RTMPE protocol.

And there is this, Protect your swf's by loading them from Wowza:

Richard

[pietjuh1]

I'm already using RTMPE in combination with the RequireSecureConnection module and securetoken but RTMPdump bypasses it.

I will take a look at the byteloader code tho.

Thanks Richard!

[bobmane]

RTMPE provides just encryption it doesn’t provide full security.

In wikipidiea it says that

Adobe developed RTMPE as a lighter weight alternative,[3] to make it more practical for high-traffic sites to serve encrypted content. Adobe advertises RTMPE as a method for secure content delivery, protecting against client impersonation[4] but this claim is false. RTMPE only uses[1] Anonymous Diffie-Hellman which provides no verification of either party's identity, and as such is vulnerable to trivial man-in-the-middle attacks.

[lisa_w]

Wowza developed its own implementation of RTMPE. Please note that to the best of our understanding, all versions of RTMPE have been compromised. Also note that Adobe's own hardening guide states that RTMPS (not RTMPE) provides maximum security. http://www.adobe.com/devnet/flashmed...ing_guide.html

Would you be interested in RTMPS? If so, would you be interested in providing feedback on an easy to implement RTMPS solution that we are considering?

-Lisa

[bobmane]

Would you be interested in RTMPS? If so, would you be interested in providing feedback on an easy to implement RTMPS solution that we are considering?


how? anything i demo/test would have be useable in JW Player unless using some sort of player switching which i have never yet done

[lisa_w]

This is under consideration and not yet available. Thank you for the feedback.

-Lisa

[bobmane]

Ok thanks

[lisa_w]

We did a test this morning with JW Player and RTMPS for this request. The security is handled by Flash Player itself. Here is some sample code that we used with JW Player 9.5 in our testing.

Code:

<script type="text/javascript" src="jwplayer.js"></script>
<script type="text/javascript">
jwplayer("mediaplayer").setup({
                file: 'mp4:sample.mp4',
                streamer: 'rtmps://[domain-name]/vod',
                flashplayer: 'player.swf',
                plugins: {
                                "captions.swf": {}
                }
});
</script>

-Lisa

[JanEhrhardt]

Do you know how to pass connectionArgs from JW Player to Wowza?

For Flowplayer we are using connectionArgs: [ 'database', 'uid', 'remote_addr', 'max_timeout' ].
Our custom module then checks MySQL to see if 'uid' has been logged in to 'database' from 'remote_addr' during the last 'max_timeout' seconds. max_timeout = 60 seconds in our case, which provides enough security to block unauthorised access.

However the latest Firefox broke the rtmps protocol in the Flowplayer. Example with a 1 hour test-movie:
https://sessiondatabase.net/flowplayer/

This plays fine in every browser except Firefox 13. We temporarily reverted back to rtmp to get this running again in Firefox.

Firefox does not have problems with JW Player 5.9:
https://sessiondatabase.net/jwplayer/

Of course, we will report the Firefox bug to the developers of Flowplayer and/or Mozilla. But in the mean time, we must also consider switching to JW Player.