Issue

Stream capture software providers are trying many ways to capture and archive video delivered to Adobe Flash. Today, few of these "rippers" support RTMP (Real-Time Messaging Protocol) – the protocol  Adobe Flash Media Server (FMS) uses. To help prevent the ripping of video streamed through Flash, Adobe created the RTMPE protocol -- a real-time encryption solution -- and SWF Verification. These new technologies were introduced in Flash Media Server 3.0 and Adobe Flash Player 9.0.115. Today, over 86% of Internet-connected computers have adopted this Flash Player version, and all Content Delivery Networks (CDN) support Flash Media Server 3.

RTMPE and RTMPTE (the tunneled version) can be combined with SWF Verification to help provide additional content protection. This document discusses those methods in more detail.

Solution

There are two ways to help prevent this activity:

  1. Enable SWF Verification and use RTMPE-only connections.
  2. Encrypt video assets with Adobe Flash Access (limited to Adobe AIR solutions).

Enable SWF Verification

Flash Media Server can verify SWF files running in Flash Player or AIR files running in Adobe AIR after the client connects to an application. Flash Media Server disconnects any Flash player or AIR application sending invalid bytes. This verification ensures that only your SWF files or AIR files can connect to your application or content on Flash Media Server. SWF verification requires at minimum Flash Media Server 3.0 and Flash Player 9.0.115 or AIR 1.0. See the LiveDocs for more specific information on SWF verification.

For optimal security, enable the SWF Verification functionality and ensure that the <FinalHashTimeout> tag is configured. The <FinalHashTimeout> tag specifies the maximum time (in seconds) that the server is willing to wait to receive the last SWF Verification byte. Flash Media Server disconnects the client if it does not receive all the SWF Verification bytes within this timeout.

Configure SWF Verification for applications:

  1. Create a backup of the %FMS_Install%/conf/_defaultRoot_/_defaultVHost_/Application.xml file.
  2. Open the Application.xml and locate the <SWFVerification> tag.
  3. Set the "enabled" attribute on the <SWFVerification> tag to "true".
  4. Specify the location of the folder containing the verification SWFs in the <SWFFolder>.



    Note: If <SWFFolder> is empty or missing, FMS looks for the SWFs in application_directory\SWFs.

     
  5. Add the <FinalHashTimeout> tag within <SWFVerification> tags.



    Note: This action forces the replay software to become disconnected after this amount of time.

     
  6. Set a default value of 20 seconds.



    Note: Consider your target audience when setting the appropriate timeout value. Setting the value too low can adversely affect low-bandwidth connections (for example, modem users), because the longer it takes to download the SWF file, the greater the possibility of FMS reaching the timeout and prematurely disconnecting the client. However, setting a longer timeout means potentially allowing rippers to rip more content.

    <Application>
      <SWFVerification enabled="true">
       <SWFFolder></SWFFolder>
        <FinalHashTimeout>20</FinalHashTimeout>
       </SWFVerification>
     </Application>

Adobe released a Flash Media Server Developer Center article that contains several alternate solutions for protecting content against replay attacks and other forms of theft.

Use RTMPE-only connections

Use one of the following methods to disable any non-RTMPE connections: 

  • DisallowedProtocols tag
  • Customized Server-Side ActionScript (SSAS).*
  • Access and Authorization Plug-ins.*

*These solutions are only applicable for Flash Media Interactive Server (FMIS) edition.

DisallowedProtocols tag

Flash Media Server 3.0.3 and 3.5.1 introduced the Application.xml <DisallowedProtocols> tag to allow administrators to restrict application access by connection protocols. This tag accepts a comma delimited list of protocols to reject connection attempts. Any protocols not listed are allowed. Adobe recommends specifying RTMP and RTMPS to allow only client connections over RTMPE:

<DisallowedProtocols>rtmp, rtmps, rtmpt</DisallowedProtocols>

Note: The comma delimited list is not case-sensitive. 

Custom Server-Side ActionScript

To deploy this solution on Flash Media Interactive Server, your application requires custom Server-Side ActionScript (for example, main.asc). It's recommended that only experienced developers deploy and test this solution.

  1. Add the following script within the application.onConnect handler:

    application.onConnect = function(clientObj) {
     //only allow rtmpe and rtmpte connections
       if(clientObj.protocol == "rtmpe" || clientObj.protocol == "rtmpte"){
         return true;
       }
      return false
     }
    Note: Adobe does not recommend using the URI to perform protocol checking because it can be spoofed. The best practice is to use the Server-Side ActionScript properties provided by Flash Media Server.

     
  2. Save the Server-Side ActionScript and restart Flash Media Server.

Sample Access and Authorization Plug-ins

The adaptors.zip file contains sample C code for Access and Authorization adaptor. Adobe recommends that experienced developers integrate this code with existing plug-in code for their Flash Media Interactive Servers. Consult the LiveDocs for more information on using plug-ins with Flash Media Server.

Encrypting video assets with Flash Access

Flash Access is a stand-alone server that allows content owners to protect media content delivered to Adobe Media Player and Adobe AIR applications. Consult the LiveDocs for more information on encrypting video assets and the digital rights management (DRM) capabilities of Flash Access.

Additional Information

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Twitter™ and Facebook posts are not covered under the terms of Creative Commons.

Legal Notices   |   Online Privacy Policy