We ran into a problem with this new application we're developing.
Say, we have a NetGroup with no publish password. Every user in this group can publish a NetStream with their video.
Then consider this scenario:
1. User A joins the group, chooses a completely random stream name, say /foobar and publishes it.
2. Malicious user B first publishes /foobar and then actually connects to someone in the group
Some tests we ran show that in this case, the stream is actually published. Correct me if we got it wrong.
3. User A still doesn't know about this problem, so we have two simultaneous streams running under the same name.
3. User C knows that A has stream /foobar and starts playing it.
How can user C in this case know that stream he is watching originates from user A and not someone else?
And the worst part of the problem, how do we know where the malicious stream originates from, so we can banish that user for being such an ***?
I don't see any peerID or groupAddress in any of NetGroup.MulticastStream events. So even if we say that a publisher must send some token verifying the source every second, or something like that, and we detect that the stream we're currently watching is not authentic, all we can do is ask the publisher to change the address, just to encounter the same situation a few seconds later.
Or maybe there is some way to select a stream by source's peerID, and not name? That would totally resolve the problem. (Given that RTMFP does not allow to fake peerIDs, but that would be a disaster in many other ways)