secure VOD to Desktops only (not iOS for now)
-
re: WowzaMediaServerMediaSecurity_UsersGuide.pdf for version 2. WowzaMediaServerMediaSecurity_UsersGuide.pdf - has no changes at all from version 2 to 3?
-
from WowzaMediaServerMediaSecurity_UsersGuide.pdf and the forum…Im going in circles over what I need and what is overlapping or only needed for live.
so, in the guide it says:
“For example to protected video on demand streaming it is best to use SecureToken along with RTMPE”.
2a) OK, so thats ALL?? (SecureToken along with RTMPE)?
2b)
There is no special configuration needed to do RTMPE and RTMPTE streaming. You simply just specify rtmpe:// or rtmpte:// as the protocol portion of the server URL when connecting to Wowza Media Server from the Flash player.
re: RTMPE. i totally do not get this. on one had it is said that RTMPE is “on by default” (http://www.wowza.com/forums/showthread.php?18894-auto-rmtpe&p=96143&highlight=#post96143) . but it is also said that “anyone can change it to RTMP making it useless” what does all that mean?
2c) post with Lisa reply:
Wowza developed its own implementation of RTMPE. Please note that to the best of our understanding, all versions of RTMPE have been compromised. Also note that Adobe’s own hardening guide states that RTMPS (not RTMPE) provides maximum security. http://www.adobe.com/devnet/flashmed…ing_guide.html . Would you be interested in RTMPS?
–
“SecureToken is a challenge and response based security system that when used in conjunction with RTMPE/RTMPTE provides a high level of content protection”
The SecureToken security feature requires changes to your client-side ActionScript player code so that is properly responds to the SecureToken challenge.
3a) I just had a swf compiled (for wowza) to play video only if played from my domain. is this different than SecureToken challenge and response or just one feature of SecureToken challenge and response?
3b) is it true that SecureToken is either built into a swf or issued from a remote server
3c) is it true that if issued from a remote server the only singular advantage is the swf cant be attained and manipulated.
from related post:
Originally Posted by rrlanham View Post
As far as I know, you have to compile a new SWF. Adding a token to javascript is not very secure, and I just don’t know if or how that works. I think I tried it awhile ago and it didn’t. You might want to hire a Flash developer to help. We have a list of independent consultants. Write to support@wowza.com if you want us to send that. Include a link to this thread.
Richard
4a) but how secure is using the swf? cant they just download and recomplie the swf?
4b) isnt that why there are vendors who are selling token systems that don’t rely on the swf?
i was told:
Protecting a swf (hash internal) is not best case and there are a multitude of programs that can strip that data out. Instead you should take the approach that you do a secure call into the system to generate hotlinking so you do not have a hardcoded hash. Protecting the swf better then becomes obsolete if are doing an external call.
so what is wowza position on this?
from the following list, what is and is not needed for secure VOD to Desktops only (not iOS for now) to thwart most stuff like dump tools, and what in the list overlaps?
here is the list:
https://www.wowza.com/docs/how-to-format-adobe-flash-rtmp-urls
https://www.wowza.com/docs/how-to-require-a-secure-rtmp-connection-modulerequiresecureconnection
Custom stream authorization and expiration module (all methods?)
“ModuleRequireSecureConnection”
https://www.wowza.com/docs/how-to-format-adobe-flash-rtmp-urls
http://www.wowza.com/forums/showthread.php?8457-Protecting-VOD&p=94054&highlight=#post94054