Protect video content (Flash Media Server)
Issue
Stream capture software providers are trying many ways to capture and archive video delivered to Adobe Flash. Today, few of these "rippers" support RTMP (Real-Time Messaging Protocol) – the protocol Adobe Flash Media Server (FMS) uses. To help prevent the ripping of video streamed through Flash, Adobe created the RTMPE protocol -- a real-time encryption solution -- and SWF Verification. These new technologies were introduced in Flash Media Server 3.0 and Adobe Flash Player 9.0.115. Today, over 86% of Internet-connected computers have adopted this Flash Player version, and all Content Delivery Networks (CDN) support Flash Media Server 3.
RTMPE and RTMPTE (the tunneled version) can be combined with SWF Verification to help provide additional content protection. This document discusses those methods in more detail.
Solution
There are two ways to help prevent this activity:
-
Enable SWF Verification and use RTMPE-only connections.
-
Encrypt video assets with Adobe Flash Access (limited to Adobe AIR solutions).
Enable SWF Verification
Flash Media Server can verify SWF files running in Flash Player or AIR files running in Adobe AIR after the client connects to an application. Flash Media Server disconnects any Flash player or AIR application sending invalid bytes. This verification ensures that only your SWF files or AIR files can connect to your application or content on Flash Media Server. SWF verification requires at minimum Flash Media Server 3.0 and Flash Player 9.0.115 or AIR 1.0.
For optimal security, enable the SWF Verification functionality and ensure that the <FinalHashTimeout> tag is configured. The <FinalHashTimeout> tag specifies the maximum time (in seconds) that the server is willing to wait to receive the last SWF Verification byte. Flash Media Server disconnects the client if it does not receive all the SWF Verification bytes within this timeout.
Configure SWF Verification for applications:
-
Create a backup of the %FMS_Install%/conf/_defaultRoot_/_defaultVHost_/Application.xml file.
-
Open the Application.xml and locate the <SWFVerification> tag.
-
Set the "enabled" attribute on the <SWFVerification> tag to "true".
-
Specify the location of the folder containing the verification SWFs in the <SWFFolder>.
Note: If <SWFFolder> is empty or missing, FMS looks for the SWFs in application_directory\SWFs.
-
Add the <FinalHashTimeout> tag within <SWFVerification> tags.
Note: This action forces the replay software to become disconnected after this amount of time.
-
Set a default value of 20 seconds.
Note: Consider your target audience when setting the appropriate timeout value. Setting the value too low can adversely affect low-bandwidth connections (for example, modem users), because the longer it takes to download the SWF file, the greater the possibility of FMS reaching the timeout and prematurely disconnecting the client. However, setting a longer timeout means potentially allowing rippers to rip more content.
<Application> <SWFVerification enabled="true"> <SWFFolder></SWFFolder> <FinalHashTimeout>20</FinalHashTimeout> </SWFVerification> </Application>
Adobe released a Flash Media Server Developer Center article that contains several alternate solutions for protecting content against replay attacks and other forms of theft.
Use RTMPE-only connections
Use one of the following methods to disable any non-RTMPE connections:
- DisallowedProtocols tag
- Customized Server-Side ActionScript (SSAS).*
- Access and Authorization Plug-ins.*
*These solutions are only applicable for Flash Media Interactive Server (FMIS) edition.
DisallowedProtocols tag
Flash Media Server 3.0.3 and 3.5.1 introduced the Application.xml <DisallowedProtocols> tag to allow administrators to restrict application access by connection protocols. This tag accepts a comma delimited list of protocols to reject connection attempts. Any protocols not listed are allowed. Adobe recommends specifying RTMP and RTMPS to allow only client connections over RTMPE:
<DisallowedProtocols>rtmp, rtmps, rtmpt</DisallowedProtocols>
Note: The comma delimited list is not case-sensitive.
Custom Server-Side ActionScript
To deploy this solution on Flash Media Interactive Server, your application requires custom Server-Side ActionScript (for example, main.asc). It's recommended that only experienced developers deploy and test this solution.
-
Add the following script within the application.onConnect handler:
application.onConnect = function(clientObj) { //only allow rtmpe and rtmpte connections if(clientObj.protocol == "rtmpe" || clientObj.protocol == "rtmpte"){ return true; } return false }
Note: Adobe does not recommend using the URI to perform protocol checking because it can be spoofed. The best practice is to use the Server-Side ActionScript properties provided by Flash Media Server.
-
Save the Server-Side ActionScript and restart Flash Media Server.