Skip navigation
ZzionN
Currently Being Moderated

RTMPE cannot protect contents

Sep 30, 2008 11:18 PM

I was able to download streaming videos using RTMPE potocol by an application called replay catcher.
Are there any new methods to protect our contents?
1638 Views   5 Replies   Latest reply: jpvdp, Nov 5, 2008 4:43 AM
 
Replies
  • fmslove
    Currently Being Moderated
    1. fmslove,
    Oct 1, 2008 12:51 AM   in reply to ZzionN
    Report
    Yes, FMS has extensive ways to protect the content. And it has already been discussed in posts a while ago.

    There is also a useful post on the blog of Kevin Towes, Product Manager, FMS.
    http://blogs.adobe.com/ktowes/


    Correcting the reports, replay catcher has never downloaded videos using RTMPE; it is just that it try to use RTMP url to access the same stream and becomes successful if rtmp & rtmpe both are enabled on target FMS (which is actually the default setting on FMS3).

    referring to Kevin's blog and other information around adobe.com; I think that using any of the options below will block replay catcher:

    - using swf verification feature makes sure that only specified custom swf(s) may connect to FMS.

    - disabling RTMP is one way so that ONLY RTMPE connection is accepted at FMS.

    - The strongest of all is server-side action script; one can write own connection authentication method in SSAS methods and RMI client.onConnect() and client.call. this will make make sure any client like replay catcher will just not able to comply with your custom authentication routine as it would be unique.




     
    |
    Mark as:
  • Currently Being Moderated
    2. ZzionN,
    Oct 1, 2008 2:13 AM   in reply to fmslove
    Report
    Thanks fmslove.
    After that,I have one more question.
    Even though my server allows RTMP as well RTMPE connection, I have enabled swf verification(and being tested)
    When the player was playing the video, it was using RTMPE.
    How can the replay catcher connect my server using RTMP? Why it won't be detected by the verification?
     
    |
    Mark as:
  • jpvdp
    Currently Being Moderated
    3. jpvdp,
    Oct 31, 2008 4:18 AM   in reply to ZzionN
    Report
    To correct the correction, replay catcher does download rtmpe streams.
    I disabled rtmp and enabled swf verification, still replay catcher downloads the content.

    It looks like they monitor the communication between server and player and replay that for their own connection.
    So the swf verification protection is not safe.
    The only method left in the documents provided by adobe is a rather fishy smelling one,calling a client function with a random number and check that. That is as safe as securetoken used by wowza, people can decompile your swf and figure out the function/shared secret.

    Untill adobe does come with a good solution your content is not protected in any way.
    Kinda makes one wonder why adobe is not saying anything about this.
    They were very strong telling that swf verification and smtp(e) provided protection.

    JP
     
    |
    Mark as:
  • ktowes (Product Mgr)
    Currently Being Moderated
    4. ktowes (Product Mgr),
    Nov 3, 2008 8:42 AM   in reply to jpvdp
    Report
    SWF Verification by itself adds a higher level of protection, but sometimes you need more. You need to combine SWFVerification with RTMPe, and disable RTMP. It's the disabling or limiting RTMP connections that will block malicious software like Replay Media Catcher (RMC). RMC does not capture RTMPe-protected streams. It changes the HTTP request from RTMPe to RTMP, and then captures the RTMP (clear) stream.

    My Blog (quoted earlier) describes this - but you should refer to the technote for more detail: http://kb.adobe.com/selfservice/viewContent.do?externalId=kb405456&sli ceId=2

    Kev.
     
    |
    Mark as:
  • jpvdp
    Currently Being Moderated
    5. jpvdp,
    Nov 5, 2008 4:43 AM   in reply to ktowes (Product Mgr)
    Report
    Strange enough even after disabling rtmp streams, rmc was still able to capture the stream.
    I used the methods as described to disable rtmp, and tested this to work correctly.
    It could be I missed something, but really it seems that rmc is a step ahead at the moment..

    JP
     
    |
    Mark as:
Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Answers + Points = Status

  • 10 points awarded for Correct Answers
  • 5 points awarded for Helpful Answers
  • 10,000+ points
  • 1,001-10,000 points
  • 501-1,000 points
  • 5-500 points