Correcting the reports, replay catcher has never downloaded
videos using RTMPE; it is just that it try to use RTMP url to
access the same stream and becomes successful if rtmp & rtmpe
both are enabled on target FMS (which is actually the default
setting on FMS3).
referring to Kevin's blog and other information around
adobe.com; I think that using any of the options below will block
- using swf verification feature makes sure that only
specified custom swf(s) may connect to FMS.
- disabling RTMP is one way so that ONLY RTMPE connection is
accepted at FMS.
- The strongest of all is server-side action script; one can
write own connection authentication method in SSAS methods and RMI
client.onConnect() and client.call. this will make make sure any
client like replay catcher will just not able to comply with your
custom authentication routine as it would be unique.
After that,I have one more question.
Even though my server allows RTMP as well RTMPE connection, I
have enabled swf verification(and being tested)
When the player was playing the video, it was using RTMPE.
How can the replay catcher connect my server using RTMP? Why
it won't be detected by the verification?
To correct the correction, replay catcher does download rtmpe
I disabled rtmp and enabled swf verification, still replay
catcher downloads the content.
It looks like they monitor the communication between server
and player and replay that for their own connection.
So the swf verification protection is not safe.
The only method left in the documents provided by adobe is a
rather fishy smelling one,calling a client function with a random
number and check that. That is as safe as securetoken used by
wowza, people can decompile your swf and figure out the
Untill adobe does come with a good solution your content is
not protected in any way.
Kinda makes one wonder why adobe is not saying anything about
They were very strong telling that swf verification and
smtp(e) provided protection.
SWF Verification by itself adds a higher level of protection,
but sometimes you need more. You need to combine SWFVerification
with RTMPe, and disable RTMP. It's the disabling or limiting RTMP
connections that will block malicious software like Replay Media
Catcher (RMC). RMC does not capture RTMPe-protected streams. It
changes the HTTP request from RTMPe to RTMP, and then captures the
RTMP (clear) stream.
Strange enough even after disabling rtmp streams, rmc was
still able to capture the stream.
I used the methods as described to disable rtmp, and tested
this to work correctly.
It could be I missed something, but really it seems that rmc
is a step ahead at the moment..