RTMP Stream Security

Legacy content

This article primarily refers to streaming with flash. It is only useful for legacy applications.

Stream Security: Overview of Defenses

Most streaming host services will provide rudimentary security. Referer protection requires that the SWF that is requesting to play the stream be served from a particular domain. If an attacker embeds your player, from your site, this is defeated. Anti hot-link protection requires that the referring page url match a particular domain. This is passed in as a parameter to rtmpdump to defeat this "protection". If you serve your swf from the same domain as your website, note that later versions of flash truncate the page url to only the domain, rather than the full url, and most page url protection will allow a simple iFRAME directly to your swf to pass the page url test.

A specific token can be embedded in the code of a flash player, and a matching code can be installed on the media server. This can be used in combination with RTMPe encryption. The code itself can be obtained by decompiling the swf, and it can be passed as a parameter to rtmpdump, just as the above referer domain protections are easily defeated by rtmpdump.

If you are attacked by browser manipulation software, your streams will get played by unauthorized viewers unless you protect your swf further with SecureLink hashing on the URI, and an expire time.

Stream Security: Overview of Attacks

Securing streams is not simple or easy. There are numerous techniques to steal streams which we have defeated. Each one has its difficulties. In general, we see:

Ripping attacks on streams:

These use the popular rtmpdump program, or are front end programs that use it. Rtmpdump is quite difficult to defend against, for a couple of reasons: it can spoof any common security parameter, and it appears to be a legitimate stream user.

Referer attacks on streams:

The attacker iframes your theater into their website, and shows your streams, on your account, from their theater.

Browser embed attacks:

Another ingenious attack. The attacker runs a VB.net app, that their subscribers install, to inject HTML into their site, so that the browser satisfies flash that their page is your site, bypassing security.

Wireshark examination of network traffic to get origin stream names:

We have seen attackers determine "secure" origin stream names by reading network traffic. Some media servers leak the secret unprotected origin URL in the network traffic stream. The origin stream name is kept secret, and not published in your theatre, because it cannot run with relay servers if it requires security checking. We have several effective defenses against this attack in production right now. Your streams never show on other sites, unless you allow it.