Stream capture software providers are trying many ways to capture and archive video delivered to Adobe Flash. Today, few of these "rippers" support RTMP (Real-Time Messaging Protocol) – the protocol Adobe Flash Media Server (FMS) uses. To help prevent the ripping of video streamed through Flash, Adobe created the RTMPE protocol -- a real-time encryption solution -- and SWF Verification. These new technologies were introduced in Flash Media Server 3.0 and Adobe Flash Player 9.0.115. Today, over 86% of Internet-connected computers have adopted this Flash Player version, and all Content Delivery Networks (CDN) support Flash Media Server 3.
RTMPE and RTMPTE (the tunneled version) can be combined with SWF Verification to help provide additional content protection. This document discusses those methods in more detail.
-
Encrypt video assets with Adobe Flash Access (limited to Adobe AIR solutions).
Flash Media Server can verify SWF files running in Flash Player or AIR files running in Adobe AIR after the client connects to an application. Flash Media Server disconnects any Flash player or AIR application sending invalid bytes. This verification ensures that only your SWF files or AIR files can connect to your application or content on Flash Media Server. SWF verification requires at minimum Flash Media Server 3.0 and Flash Player 9.0.115 or AIR 1.0.
For optimal security, enable the SWF Verification functionality and ensure that the <FinalHashTimeout> tag is configured. The <FinalHashTimeout> tag specifies the maximum time (in seconds) that the server is willing to wait to receive the last SWF Verification byte. Flash Media Server disconnects the client if it does not receive all the SWF Verification bytes within this timeout.
-
Set a default value of 20 seconds.
Note: Consider your target audience when setting the appropriate timeout value. Setting the value too low can adversely affect low-bandwidth connections (for example, modem users), because the longer it takes to download the SWF file, the greater the possibility of FMS reaching the timeout and prematurely disconnecting the client. However, setting a longer timeout means potentially allowing rippers to rip more content.<Application> <SWFVerification enabled="true"> <SWFFolder></SWFFolder> <FinalHashTimeout>20</FinalHashTimeout> </SWFVerification> </Application>
Adobe released a Flash Media Server Developer Center article that contains several alternate solutions for protecting content against replay attacks and other forms of theft.
Use one of the following methods to disable any non-RTMPE connections:
- DisallowedProtocols tag
- Customized Server-Side ActionScript (SSAS).*
- Access and Authorization Plug-ins.*
*These solutions are only applicable for Flash Media Interactive Server (FMIS) edition.
Flash Media Server 3.0.3 and 3.5.1 introduced the Application.xml <DisallowedProtocols> tag to allow administrators to restrict application access by connection protocols. This tag accepts a comma delimited list of protocols to reject connection attempts. Any protocols not listed are allowed. Adobe recommends specifying RTMP and RTMPS to allow only client connections over RTMPE:
<DisallowedProtocols>rtmp, rtmps, rtmpt</DisallowedProtocols>
To deploy this solution on Flash Media Interactive Server, your application requires custom Server-Side ActionScript (for example, main.asc). It's recommended that only experienced developers deploy and test this solution.
-
application.onConnect = function(clientObj) { //only allow rtmpe and rtmpte connections if(clientObj.protocol == "rtmpe" || clientObj.protocol == "rtmpte"){ return true; } return false }