Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: vod security roundup - secure VOD to Desktops

  1. #1

    Default vod security roundup - secure VOD to Desktops

    secure VOD to Desktops only (not iOS for now)



    1) re: WowzaMediaServerMediaSecurity_UsersGuide.pdf for version 2. WowzaMediaServerMediaSecurity_UsersGuide.pdf - has no changes at all from version 2 to 3?

    2) from WowzaMediaServerMediaSecurity_UsersGuide.pdf and the forum....Im going in circles over what I need and what is overlapping or only needed for live.

    so, in the guide it says:

    "For example to protected video on demand streaming it is best to use SecureToken along with RTMPE".
    2a) OK, so thats ALL?? (SecureToken along with RTMPE)?

    2b)
    There is no special configuration needed to do RTMPE and RTMPTE streaming. You simply just specify rtmpe:// or rtmpte:// as the protocol portion of the server URL when connecting to Wowza Media Server from the Flash player.
    re: RTMPE. i totally do not get this. on one had it is said that RTMPE is "on by default" (http://www.wowza.com/forums/showthre...ght=#post96143) . but it is also said that "anyone can change it to RTMP making it useless" what does all that mean?

    2c) post with Lisa reply:
    Wowza developed its own implementation of RTMPE. Please note that to the best of our understanding, all versions of RTMPE have been compromised. Also note that Adobe's own hardening guide states that RTMPS (not RTMPE) provides maximum security. http://www.adobe.com/devnet/flashmed...ing_guide.html . Would you be interested in RTMPS?
    --

    3)

    "SecureToken is a challenge and response based security system that when used in conjunction with RTMPE/RTMPTE provides a high level of content protection"
    The SecureToken security feature requires changes to your client-side ActionScript player code so that is properly responds to the SecureToken challenge.

    3a) I just had a swf compiled (for wowza) to play video only if played from my domain. is this different than SecureToken challenge and response or just one feature of SecureToken challenge and response?

    3b) is it true that SecureToken is either built into a swf or issued from a remote server

    3c) is it true that if issued from a remote server the only singular advantage is the swf cant be attained and manipulated.

    ----

    4)

    from related post:

    Originally Posted by rrlanham View Post
    As far as I know, you have to compile a new SWF. Adding a token to javascript is not very secure, and I just don't know if or how that works. I think I tried it awhile ago and it didn't. You might want to hire a Flash developer to help. We have a list of independent consultants. Write to support@wowza.com if you want us to send that. Include a link to this thread.

    Richard
    4a) but how secure is using the swf? cant they just download and recomplie the swf?


    4b) isnt that why there are vendors who are selling token systems that don't rely on the swf?

    i was told:

    Protecting a swf (hash internal) is not best case and there are a multitude of programs that can strip that data out. Instead you should take the approach that you do a secure call into the system to generate hotlinking so you do not have a hardcoded hash. Protecting the swf better then becomes obsolete if are doing an external call.

    so what is wowza position on this?

    ---


    from the following list, what is and is not needed for secure VOD to Desktops only (not iOS for now) to thwart most stuff like dump tools, and what in the list overlaps?

    here is the list:

    http://www.wowza.com/forums/content....for-Publishing

    http://www.wowza.com/forums/content....-single-url%29

    http://www.wowza.com/forums/content....PE-RTMPTE-RTMP

    http://www.wowza.com/forums/showthre...ll-methods-%29

    “ModuleRequireSecureConnection”

    http://www.wowza.com/forums/content....to-single-url)

    http://www.wowza.com/forums/showthre...ght=#post94054
    Last edited by bobmane; 07-08-2012 at 09:53 PM.

  2. #2
    Join Date
    Jul 2009
    Posts
    135

    Default

    I haven't dealt with security in awhile -- it ultimately wasn't too important for me -- but it was pretty easy to make a custom module for Wowza 2 that would essentially "expire" any viewing sessions after a few seconds, thanks to a secret code stored only server-side (in Wowza and PHP/ASP/etc.). It didn't require any messing with SWF, just some very basic use of the Wowza IDE. All of the code is here:

    http://www.wowza.com/forums/showthre...hods-)&p=46697

  3. #3

    Default

    1) why does it say (all methods?)

    2) when you say compile JW you mean just change the .js file be adding lines of code?

    3) in regard to swf

    a) swf method does same thing but is just hard-coded into swf rather than placed in js?
    b) isn't it true that proponents of swf say js it too unsecured and easily hacked


    4) could this
    so.addVariable('timestamp','<?php echo $timestamp; ?>');
    so.addVariable('signature','<?php echo $signature; ?>');

    &timestamp=<?php echo $timestamp; ?>&signature=<?php echo $signature; ?>
    a) use other variables (e.g. subscriber User ID, subscriber User Status)
    b) be modified (add/remove/change variables) at anytime by admin and whole system automatically updates

    5) re: so.addVariable('timestamp','<?php echo $timestamp; ?>');

    can it be made to get server time NOT on page load, but on something like: $urlsignature = "server_time=

    so the policy/token would be run when a link is clicked within $validminutes time of $urlsignature = "server_time -----> not upon page load? (or some similar code?)

    (preferably if i load in many links to my app via json no timer will start for each link until that link is triggered by user)

  4. #4
    Join Date
    Jul 2009
    Posts
    135

    Default

    1) "All methods" meant rtsp, rtmp, http (for iDevices), etc. Basically everything that Wowza could output, this module could cover.

    2) I guess this was the one "SWF change" involved: I downloaded the JW Player source, edited the specified actionscript file, and recompiled to my own "custom" SWF. I think I used the free Adobe Flex SDK and it was pretty simple.

    3) In this method, there is nothing secret or special stored in the SWF (or the JavaScript, for that matter). The JW Player edit and recompile just allowed the extra flashvars to be passed from the embed code to Wowza. The secret code is only stored in the server-side PHP code and the server-side Wowza module.

    4) You could add other variables, but the point of my method was to make each instance of the embed code unique and time-based. Hence the timestamp and server-generated hash "signature". User-level validation or logging would be something else entirely, and probably is better achieved outside of Wowza anyway. And any variables you wanted to add in the embed code would obviously need to be added in the JW Player code to pass them along and in the Wowza module code so Wowza knows what to do with them (check them, log them, etc.).

    5) If you want to switch between videos in one page, without reloading, you would need to do some AJAX or something to generate the timestamp and signature as each "play" link is clicked. Javascript alone can't generate them, because that is client-side.

    To sum it up, my module allowed the server to generate (and Wowza to verify) unique embed code every time a video was loaded. We mainly did it for the time expiration ability, but it turned out to be a decent alternative to SWF tokens and the like.

  5. #5

    Default

    @susta004

    many thanks for detailed answer. really helped.

    re:
    5) If you want to switch between videos in one page, without reloading, you would need to do some AJAX or something to generate the timestamp and signature as each "play" link is clicked. Javascript alone can't generate them, because that is client-side.
    well the php i suggested was part of the ajax (i guess...not really a coder). do you have any clue how that interaction might be done...like some rough idea i can further investigate?

  6. #6

    Default

    @ rrlanham

    despite the great reply here in this thread could you please give my a quick wowza response to my initial questions.

  7. #7
    Join Date
    Dec 2007
    Posts
    21,962

    Default

    RTMPE is not on by default unless you use it. Where you would have a RTMP URL like this:
    rtmp://[wowza-address]:1935/vod

    To use RTMPE you change that to
    rtmpe://[wowza-address]:1935/vod

    Secure token is usually built-in to the SWF by recompiling player source code.

    Regarding the suggestion in 4b, sounds good, a variety of schemes and custom schemes are good because they are custom, take special attention to defeat and compromise.

    Richard

  8. #8

    Default

    thanks

    sorry to belabor the point but:

    RTMPE is not on by default unless you use it. Where you would have a RTMP URL like this:
    rtmp://[wowza-address]:1935/vod

    To use RTMPE you change that to
    rtmpe://[wowza-address]:1935/vod
    what do people mean when they say "but anyone can just take out the "e" and its now not secure" ? i have heard this in several places and dont understand it

  9. #9

    Default

    also

    1) re: WowzaMediaServerMediaSecurity_UsersGuide.pdf for version 2. WowzaMediaServerMediaSecurity_UsersGuide.pdf

    has no changes at all from version 2 to 3? in guide and manual re security?

  10. #10
    Join Date
    Sep 2011
    Posts
    1,934

    Default

    Hi
    The WowzaMediaServerMediaSecurity_UsersGuide.pdf version number is to keep documentation up to date with the Wowza version.
    If they are exactly the same, this doesn't mean that the latest version is incorrect it just means that there's been no alterations.

    Jason

Page 1 of 2 12 LastLast

Similar Threads

  1. Wowza 3 VOD Security
    By tripleaaadelay in forum Video On Demand Streaming Discussion
    Replies: 4
    Last Post: 08-20-2013, 01:09 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •