Wowza Community

vod security roundup - secure VOD to Desktops

secure VOD to Desktops only (not iOS for now)

  1. re: WowzaMediaServerMediaSecurity_UsersGuide.pdf for version 2. WowzaMediaServerMediaSecurity_UsersGuide.pdf - has no changes at all from version 2 to 3?

  2. from WowzaMediaServerMediaSecurity_UsersGuide.pdf and the forum…Im going in circles over what I need and what is overlapping or only needed for live.

so, in the guide it says:

“For example to protected video on demand streaming it is best to use SecureToken along with RTMPE”.

2a) OK, so thats ALL?? (SecureToken along with RTMPE)?

2b)

There is no special configuration needed to do RTMPE and RTMPTE streaming. You simply just specify rtmpe:// or rtmpte:// as the protocol portion of the server URL when connecting to Wowza Media Server from the Flash player.

re: RTMPE. i totally do not get this. on one had it is said that RTMPE is “on by default” (http://www.wowza.com/forums/showthread.php?18894-auto-rmtpe&p=96143&highlight=#post96143) . but it is also said that “anyone can change it to RTMP making it useless” what does all that mean?

2c) post with Lisa reply:

Wowza developed its own implementation of RTMPE. Please note that to the best of our understanding, all versions of RTMPE have been compromised. Also note that Adobe’s own hardening guide states that RTMPS (not RTMPE) provides maximum security. http://www.adobe.com/devnet/flashmed…ing_guide.html . Would you be interested in RTMPS?

“SecureToken is a challenge and response based security system that when used in conjunction with RTMPE/RTMPTE provides a high level of content protection”

The SecureToken security feature requires changes to your client-side ActionScript player code so that is properly responds to the SecureToken challenge.

3a) I just had a swf compiled (for wowza) to play video only if played from my domain. is this different than SecureToken challenge and response or just one feature of SecureToken challenge and response?

3b) is it true that SecureToken is either built into a swf or issued from a remote server

3c) is it true that if issued from a remote server the only singular advantage is the swf cant be attained and manipulated.


from related post:

Originally Posted by rrlanham View Post

As far as I know, you have to compile a new SWF. Adding a token to javascript is not very secure, and I just don’t know if or how that works. I think I tried it awhile ago and it didn’t. You might want to hire a Flash developer to help. We have a list of independent consultants. Write to support@wowza.com if you want us to send that. Include a link to this thread.

Richard

4a) but how secure is using the swf? cant they just download and recomplie the swf?

4b) isnt that why there are vendors who are selling token systems that don’t rely on the swf?

i was told:

Protecting a swf (hash internal) is not best case and there are a multitude of programs that can strip that data out. Instead you should take the approach that you do a secure call into the system to generate hotlinking so you do not have a hardcoded hash. Protecting the swf better then becomes obsolete if are doing an external call.

so what is wowza position on this?


from the following list, what is and is not needed for secure VOD to Desktops only (not iOS for now) to thwart most stuff like dump tools, and what in the list overlaps?

here is the list:

https://www.wowza.com/docs/how-to-secure-publishing-from-an-rtmp-encoder-that-does-not-support-authentication-modulesecureurlparams

https://www.wowza.com/docs/how-to-format-adobe-flash-rtmp-urls

https://www.wowza.com/docs/how-to-require-a-secure-rtmp-connection-modulerequiresecureconnection

Custom stream authorization and expiration module (all methods?)

“ModuleRequireSecureConnection”

https://www.wowza.com/docs/how-to-format-adobe-flash-rtmp-urls

http://www.wowza.com/forums/showthread.php?8457-Protecting-VOD&p=94054&highlight=#post94054

RTMPE is not on by default unless you use it. Where you would have a RTMP URL like this:

rtmp://[wowza-address]:1935/vod

To use RTMPE you change that to

rtmpe://[wowza-address]:1935/vod

Secure token is usually built-in to the SWF by recompiling player source code.

Regarding the suggestion in 4b, sounds good, a variety of schemes and custom schemes are good because they are custom, take special attention to defeat and compromise.

Richard

I haven’t dealt with security in awhile – it ultimately wasn’t too important for me – but it was pretty easy to make a custom module for Wowza 2 that would essentially “expire” any viewing sessions after a few seconds, thanks to a secret code stored only server-side (in Wowza and PHP/ASP/etc.). It didn’t require any messing with SWF, just some very basic use of the Wowza IDE. All of the code is here:

I’m not sure how else to explain rtmp vs rtmpe. They are different though related protocols. rtmpe is encrypted. You just add the “e” to use it.

SecureToken + RTMPE is pretty good security, but it can be defeated. Most security features can be defeated. It’s hard to show a video to someone on their computer and make it impossible for them to save it.

Richard

I don’t think so. The MediaSecurity addon has not changed since switching from ModuleSecureURLParams to ModuleRTMPAuthenticate for publish security.

Richard

  1. “All methods” meant rtsp, rtmp, http (for iDevices), etc. Basically everything that Wowza could output, this module could cover.

  2. I guess this was the one “SWF change” involved: I downloaded the JW Player source, edited the specified actionscript file, and recompiled to my own “custom” SWF. I think I used the free Adobe Flex SDK and it was pretty simple.

  3. In this method, there is nothing secret or special stored in the SWF (or the JavaScript, for that matter). The JW Player edit and recompile just allowed the extra flashvars to be passed from the embed code to Wowza. The secret code is only stored in the server-side PHP code and the server-side Wowza module.

  4. You could add other variables, but the point of my method was to make each instance of the embed code unique and time-based. Hence the timestamp and server-generated hash “signature”. User-level validation or logging would be something else entirely, and probably is better achieved outside of Wowza anyway. And any variables you wanted to add in the embed code would obviously need to be added in the JW Player code to pass them along and in the Wowza module code so Wowza knows what to do with them (check them, log them, etc.).

  5. If you want to switch between videos in one page, without reloading, you would need to do some AJAX or something to generate the timestamp and signature as each “play” link is clicked. Javascript alone can’t generate them, because that is client-side.

To sum it up, my module allowed the server to generate (and Wowza to verify) unique embed code every time a video was loaded. We mainly did it for the time expiration ability, but it turned out to be a decent alternative to SWF tokens and the like.

what do people mean when they say “but anyone can just take out the “e” and its now not secure” ? i have heard this in several places and dont understand it

By default, yes. But in your application.xml, with the MediaSecurity plugin, you can require RTMPE connections and block RTMP ones:

http://www.wowza.com/forums/showthread.php?9455-Allow-only-RTMPE

https://www.wowza.com/docs/media-security-overview

As for the Ajax example, I realize now that you would want to secure your Ajax call anyway, so it would be rather redundant to use it AND then use my Wowza security method above. If you’ve got a database of users and/or sessions, just send that user/session ID as the flashvar instead of my timestamp/signature thing and check/verify that ID in Wowza. Wowza modules are just compiled Java code, and Java can connect to a database just as well as any other language.

However, you don’t want to spend too much time focused on security – all it takes is one user with screen recording software and you’ve been defeated anyway!

  1. why does it say (all methods**?**)

  2. when you say compile JW you mean just change the .js file be adding lines of code?

  3. in regard to swf

a) swf method does same thing but is just hard-coded into swf rather than placed in js?

b) isn’t it true that proponents of swf say js it too unsecured and easily hacked

  1. could this

so.addVariable(‘timestamp’,’<?php echo $timestamp; ?>’);

so.addVariable(‘signature’,’<?php echo $signature; ?>’);

&timestamp=<?php echo $timestamp; ?>&signature=<?php echo $signature; ?>

a) use other variables (e.g. subscriber User ID, subscriber User Status)

b) be modified (add/remove/change variables) at anytime by admin and whole system automatically updates

  1. re: so.addVariable(‘timestamp’,’<?php echo $timestamp; ?>’);

can it be made to get server time NOT on page load, but on something like: $urlsignature = "server_time=

so the policy/token would be run when a link is clicked within $validminutes time of $urlsignature = "server_time -----> not upon page load? (or some similar code?)

(preferably if i load in many links to my app via json no timer will start for each link until that link is triggered by user)

@susta004

many thanks for detailed answer. really helped.

re:

  1. If you want to switch between videos in one page, without reloading, you would need to do some AJAX or something to generate the timestamp and signature as each “play” link is clicked. Javascript alone can’t generate them, because that is client-side.

well the php i suggested was part of the ajax (i guess…not really a coder). do you have any clue how that interaction might be done…like some rough idea i can further investigate?

@ rrlanham

despite the great reply here in this thread could you please give my a quick wowza response to my initial questions.

thanks

sorry to belabor the point but:

RTMPE is not on by default unless you use it. Where you would have a RTMP URL like this:

rtmp://[wowza-address]:1935/vod

To use RTMPE you change that to

rtmpe://[wowza-address]:1935/vod

what do people mean when they say “but anyone can just take out the “e” and its now not secure” ? i have heard this in several places and dont understand it

also

  1. re: WowzaMediaServerMediaSecurity_UsersGuide.pdf for version 2. WowzaMediaServerMediaSecurity_UsersGuide.pdf

has no changes at all from version 2 to 3? in guide and manual re security?

im just asking if alterations have been made, all I have is version 2 pdf

you don’t want to spend too much time focused on security

yes but might as well give a best effort. less holes > easier to monitor and track.

UPDATE: in case anyone followed this,

after host turned it on

changing

streamer: ‘rtmp://stream.s15.cpanelservices.com/my/’,

provider: ‘rtmp’

to

streamer: ‘rtmpe://stream.s15.cpanelservices.com/my/’,

provider: ‘rtmpe’

did create rtmpe streams

As for the Ajax example, I realize now that you would want to secure your Ajax call anyway, so it would be rather redundant to use it AND then use my Wowza security method above. If you’ve got a database of users and/or sessions, just send that user/session ID as the flashvar instead of my timestamp/signature thing and check/verify that ID in Wowza. Wowza modules are just compiled Java code, and Java can connect to a database just as well as any other language.

OK so by now I have done a bunch of research + by now its clear — its pretty darn simple to config wowza.

but wowza devs i have talked to basically tell me “you have to do the php part yourself” - and that’s the part that i need help on

so i want to do the php

so is this true:

what i have now:

SecureToken (but in this case SecureToken only with a password inside swf)

RTMPE

is decent but offers no dynamic functions between wowza server and my webserver

but…

using php, the same:

SecureToken

could be extended by:

having php/db talk to wowza (user/session ID) ??

so:

  1. In this method, there is nothing secret or special stored in the SWF (or the JavaScript, for that matter). The JW Player edit and recompile just allowed the extra flashvars to be passed from the embed code to Wowza. The secret code is only stored in the server-side PHP code and the server-side Wowza module.
  1. is taking secret code from swf and putting it in php instead

  2. using php, other variables can be passed along with the secret

  3. on wowza end, its still called SecureToken and nothing more?

  4. or SecureToken in the case of the php stuff has nothing to do with and is ModuleRTMPAuthenticate

Hi

The WowzaMediaServerMediaSecurity_UsersGuide.pdf version number is to keep documentation up to date with the Wowza version.

If they are exactly the same, this doesn’t mean that the latest version is incorrect it just means that there’s been no alterations.

Jason