chrisjchrisj — 2011-07-24T14:13:44-04:00 — #1
This script that I'm using, on a web page, allows a web page visitor to record a video, via his webcam. However, the script shows the rtmp path.
I was told that "rtmp must be kept secure at all times or anyone can use it"
but I'm not clear on how someone can use it and why it must be secure.
Can you help clarify why this is a risk?
Here is the code showing the rtmp path (example):
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
var so = new SWFObject("recorder.swf", "recorder", "620", "470", "9", "#000000");
If it should be kept secure, is there a solution to keeping it hidden or secure?
eastcoast — 2011-07-24T17:41:28-04:00 — #2
If the script requires the rtmp URL to be hidden then there is a fundamental and insecure flaw in its design. There are ways you could obfuscate the URL, but this isn't real security.
You need to make sure that the rtmp application (presumably red5/FMIS) handles user requests to record/playback correctly. The danger is that if there is no such handling, malicious users could use your server resources to record and playback videos independent of your website and application.
chrisjchrisj — 2011-07-24T18:43:44-04:00 — #3
Thanks for your reply.
This isn't a script I created. I purchased it. The script doesn't require that the rtmp URL be hidden, as far as I know.
A recording is captured using the html displayed and then can be played back on the finishURL=player.html page. Is this the "handling" that you're referring too? Would this be considered "correctly"?
Because this appears in the html: rtmpPath=rtmp://67.xxx.xxx.xxx
can malicious people now use this path to use my server?
eastcoast — 2011-07-24T20:14:52-04:00 — #4
The front end html code is entirely irrelevant, it has nothing to do with how the server responds to rtmp connections coming in or out.
Any rtmp server application should have a server side script as well as any front end connectivity. In the case of a FMIS application, this is an actionscript1 file that you put in the applications directory within the FMIS server directory. It's this that controls access to the server's capability to stream and record. Normally, to ensure that users are authenticated (rather then e.g coming from an external malicious site) there will be some form of secure token passed to the client side application.
If it's a commercial script from a reputable company then their support should be able to confirm they have these sort of security measures in place. It's easy enough to test - take your swf and embed in another site, if it connects and plays back or makes recordings then you have a security issue, as anybody will be able to do similar.
chrisjchrisj — 2011-07-24T22:31:00-04:00 — #5
Thanks again. Really appreciate it.
Could you please clarify what you mean by "take your swf and embed in another site".
eastcoast — 2011-07-25T19:16:00-04:00 — #6
Somebody could download the swf you are using, and upload it on their own site. If it's passed the same rtmp address, and there is no server side authentication, it'll work as normal, except they are using your bandwidth from your rtmp server.
chrisjchrisj — 2011-07-25T22:25:18-04:00 — #7
Thanks for taking the time to enlighten me. I appreciate that clear explanation. Much thanks.