re: WowzaMediaServerMediaSecurity_UsersGuide.pdf for version 2. WowzaMediaServerMediaSecurity_UsersGuide.pdf - has no changes at all from version 2 to 3?
from WowzaMediaServerMediaSecurity_UsersGuide.pdf and the forum…Im going in circles over what I need and what is overlapping or only needed for live.
so, in the guide it says:
“For example to protected video on demand streaming it is best to use SecureToken along with RTMPE”.
2a) OK, so thats ALL?? (SecureToken along with RTMPE)?
2b)
There is no special configuration needed to do RTMPE and RTMPTE streaming. You simply just specify rtmpe:// or rtmpte:// as the protocol portion of the server URL when connecting to Wowza Media Server from the Flash player.
Wowza developed its own implementation of RTMPE. Please note that to the best of our understanding, all versions of RTMPE have been compromised. Also note that Adobe’s own hardening guide states that RTMPS (not RTMPE) provides maximum security. http://www.adobe.com/devnet/flashmed…ing_guide.html . Would you be interested in RTMPS?
–
“SecureToken is a challenge and response based security system that when used in conjunction with RTMPE/RTMPTE provides a high level of content protection”
The SecureToken security feature requires changes to your client-side ActionScript player code so that is properly responds to the SecureToken challenge.
3a) I just had a swf compiled (for wowza) to play video only if played from my domain. is this different than SecureToken challenge and response or just one feature of SecureToken challenge and response?
3b) is it true that SecureToken is either built into a swf or issued from a remote server
3c) is it true that if issued from a remote server the only singular advantage is the swf cant be attained and manipulated.
from related post:
Originally Posted by rrlanham View Post
As far as I know, you have to compile a new SWF. Adding a token to javascript is not very secure, and I just don’t know if or how that works. I think I tried it awhile ago and it didn’t. You might want to hire a Flash developer to help. We have a list of independent consultants. Write to support@wowza.com if you want us to send that. Include a link to this thread.
Richard
4a) but how secure is using the swf? cant they just download and recomplie the swf?
4b) isnt that why there are vendors who are selling token systems that don’t rely on the swf?
i was told:
Protecting a swf (hash internal) is not best case and there are a multitude of programs that can strip that data out. Instead you should take the approach that you do a secure call into the system to generate hotlinking so you do not have a hardcoded hash. Protecting the swf better then becomes obsolete if are doing an external call.
so what is wowza position on this?
from the following list, what is and is not needed for secure VOD to Desktops only (not iOS for now) to thwart most stuff like dump tools, and what in the list overlaps?
RTMPE is not on by default unless you use it. Where you would have a RTMP URL like this:
rtmp://[wowza-address]:1935/vod
To use RTMPE you change that to
rtmpe://[wowza-address]:1935/vod
Secure token is usually built-in to the SWF by recompiling player source code.
Regarding the suggestion in 4b, sounds good, a variety of schemes and custom schemes are good because they are custom, take special attention to defeat and compromise.
I haven’t dealt with security in awhile – it ultimately wasn’t too important for me – but it was pretty easy to make a custom module for Wowza 2 that would essentially “expire” any viewing sessions after a few seconds, thanks to a secret code stored only server-side (in Wowza and PHP/ASP/etc.). It didn’t require any messing with SWF, just some very basic use of the Wowza IDE. All of the code is here:
I’m not sure how else to explain rtmp vs rtmpe. They are different though related protocols. rtmpe is encrypted. You just add the “e” to use it.
SecureToken + RTMPE is pretty good security, but it can be defeated. Most security features can be defeated. It’s hard to show a video to someone on their computer and make it impossible for them to save it.
“All methods” meant rtsp, rtmp, http (for iDevices), etc. Basically everything that Wowza could output, this module could cover.
I guess this was the one “SWF change” involved: I downloaded the JW Player source, edited the specified actionscript file, and recompiled to my own “custom” SWF. I think I used the free Adobe Flex SDK and it was pretty simple.
In this method, there is nothing secret or special stored in the SWF (or the JavaScript, for that matter). The JW Player edit and recompile just allowed the extra flashvars to be passed from the embed code to Wowza. The secret code is only stored in the server-side PHP code and the server-side Wowza module.
You could add other variables, but the point of my method was to make each instance of the embed code unique and time-based. Hence the timestamp and server-generated hash “signature”. User-level validation or logging would be something else entirely, and probably is better achieved outside of Wowza anyway. And any variables you wanted to add in the embed code would obviously need to be added in the JW Player code to pass them along and in the Wowza module code so Wowza knows what to do with them (check them, log them, etc.).
If you want to switch between videos in one page, without reloading, you would need to do some AJAX or something to generate the timestamp and signature as each “play” link is clicked. Javascript alone can’t generate them, because that is client-side.
To sum it up, my module allowed the server to generate (and Wowza to verify) unique embed code every time a video was loaded. We mainly did it for the time expiration ability, but it turned out to be a decent alternative to SWF tokens and the like.
what do people mean when they say “but anyone can just take out the “e” and its now not secure” ? i have heard this in several places and dont understand it
By default, yes. But in your application.xml, with the MediaSecurity plugin, you can require RTMPE connections and block RTMP ones:
As for the Ajax example, I realize now that you would want to secure your Ajax call anyway, so it would be rather redundant to use it AND then use my Wowza security method above. If you’ve got a database of users and/or sessions, just send that user/session ID as the flashvar instead of my timestamp/signature thing and check/verify that ID in Wowza. Wowza modules are just compiled Java code, and Java can connect to a database just as well as any other language.
However, you don’t want to spend too much time focused on security – all it takes is one user with screen recording software and you’ve been defeated anyway!
can it be made to get server time NOT on page load, but on something like: $urlsignature = "server_time=
so the policy/token would be run when a link is clicked within $validminutes time of $urlsignature = "server_time -----> not upon page load? (or some similar code?)
(preferably if i load in many links to my app via json no timer will start for each link until that link is triggered by user)
If you want to switch between videos in one page, without reloading, you would need to do some AJAX or something to generate the timestamp and signature as each “play” link is clicked. Javascript alone can’t generate them, because that is client-side.
well the php i suggested was part of the ajax (i guess…not really a coder). do you have any clue how that interaction might be done…like some rough idea i can further investigate?
RTMPE is not on by default unless you use it. Where you would have a RTMP URL like this:
rtmp://[wowza-address]:1935/vod
To use RTMPE you change that to
rtmpe://[wowza-address]:1935/vod
what do people mean when they say “but anyone can just take out the “e” and its now not secure” ? i have heard this in several places and dont understand it
As for the Ajax example, I realize now that you would want to secure your Ajax call anyway, so it would be rather redundant to use it AND then use my Wowza security method above. If you’ve got a database of users and/or sessions, just send that user/session ID as the flashvar instead of my timestamp/signature thing and check/verify that ID in Wowza. Wowza modules are just compiled Java code, and Java can connect to a database just as well as any other language.
OK so by now I have done a bunch of research + by now its clear — its pretty darn simple to config wowza.
but wowza devs i have talked to basically tell me “you have to do the php part yourself” - and that’s the part that i need help on
so i want to do the php
so is this true:
what i have now:
SecureToken (but in this case SecureToken only with a password inside swf)
RTMPE
is decent but offers no dynamic functions between wowza server and my webserver
but…
using php, the same:
SecureToken
could be extended by:
having php/db talk to wowza (user/session ID) ??
so:
In this method, there is nothing secret or special stored in the SWF (or the JavaScript, for that matter). The JW Player edit and recompile just allowed the extra flashvars to be passed from the embed code to Wowza. The secret code is only stored in the server-side PHP code and the server-side Wowza module.
is taking secret code from swf and putting it in php instead
using php, other variables can be passed along with the secret
on wowza end, its still called SecureToken and nothing more?
or SecureToken in the case of the php stuff has nothing to do with and is ModuleRTMPAuthenticate