Archive for September, 2008

Flash Media Server is the right choice to help serve and protect content

On Monday this week, Reuters published a more informed article about Adobe Flash Media Server software, and it’s ability to provide adequate protection measures for media distribution to the Adobe Flash platform. This is a response to the many false statements made in a previous article published last Friday.

Encryption and Streaming Media protection to Adobe Flash

There has been some speculation recently, questioning how media
can be protected when it’s delivered to customer applications built on Adobe
Flash or Adobe AIR, specifically when it’s streamed from Adobe Flash Media
Server (FMS)
.  An article published by Reuters on September 19th,
2008 has incorrectly stated that a security “flaw” exists in Adobe Flash Media
Server software. I feel it is important for our customers and users to receive
clarification given that the claims are factually incorrect. 

The article states: “software
doesn’t encrypt online content, but only orders sent to a video player such as
start and stop play,
” and continues, “To boost download speeds, Adobe
dropped a stringent security feature that protects the connection between the
Adobe software and its players.

This statement is inaccurate. All information transferred
between client and server is encrypted when using RTMPe, not only the commands
to start and stop play. No compromise has been made in the server software to
boost speeds or security as claimed by the article. 

The article also claims “…in
tests by Reuters, at least one program to record online video, the Replay Media
Catcher from Applian Technologies, recorded movies from Amazon and other sites
that use Adobe’s encryption technology together with its video player
verification
.”

Amazon has enabled the protection mechanisms provided by
Adobe software and movies cannot be recorded. Adobe provides various methods
for content owners to securely deliver content to Flash platform. Flash Media
Server supports methods to completely encrypt all communication between player
and server, restrict delivery of streams to video players created by content
owners, enforce access controls like domain, geo filtering, secure tokens, etc.
 Content delivered from Flash Media Server (encrypted or unencrypted) will also
leave no artifact on the disk that malicious software can capture. 

I hope the following information will help clear up the
inaccuracies and claims from the story.

Is there a hole in Adobe Flash Media Server?

No.
Adobe Flash Media Server software does not have a technology flaw or hole.
Adobe provides the software and technology that enables customers to deliver
content over multimedia streaming protocols;  Real Time Messaging Protocol RTMP
(Unencrypted) or Real Time Messaging Protocol Encrypted RTMPe. To protect content
we recommend customers using Adobe Flash Media Server software utilize RTMPe or
RTMPte (tunneled version) combined with SWF verification to provide maximum
content protection and also disable RTMP access.  Adobe provides these content
protection technology but it is the choice of the developer, the content owner
and the delivery network manager to implement.   Adobe works closely with all
CDN partners to inform and implement these solutions in their networks.  We
also supply numerous examples of content protection through the Adobe Developer
Connection
.

Is content delivered through Flash Media Server encrypted?

Yes, When using RTMPe, RTMPte or RTMPs protocols, Flash
Media Server (FMS) encrypts all data that is exchanged between the Flash
player/AIR or Flash Lite and Flash Media Server.

If content is encrypted, then how can malicious software
“capture” the media?

Software, such as Applian Media Catcher masquerades as a
Flash Player and connects to Flash Media Server and requests for the stream
using RTMP protocol (unencrypted).  If FMS or the CDN is configured to deliver
content over RTMP, the malicious software is able to capture the stream. If FMS
and the client is configured to deliver media encrypted using RTMPe than
software will not be able to capture the stream.  If video player
identification ( swf verification) is enabled in FMS or at the CDN, Applian Media
Catcher will not be able to capture video streams for both RTMPe and RTMP.

Why can stream rippers capture some content but not
others?

Flash developers, content owners and IT managers have the
control to enable RTMPe and SWF Verification on video players running on Flash
player or AIR.  Content Delivery Networks (CDNs) offer support for RTMPe and
SWF Verification at their discretion. Content can also be delivered to Flash player,
AIR or Flash Lite from a web server (HTTP) or through RTMP without swf
verification or session authorization, this could  expose the media to malicious
capture

If you would like to use these features of Flash Media
Server, you can refer to the Content Protection whitepaper or contact your CDN representative.

Does Adobe make compromises in content protection to
increase performance?

No.  Both the integrity of security and performance are of top concern at
Adobe.  Flash Media Server 3 added significant performance increases and also
introduced the new RTMPe protocol.

How do I make sure I am doing all I can to keep my content
safe?

Content can be protected from the packet replay technology
when streaming from Flash Media Server.  Adobe is encouraging all content
owners to

  • Use Adobe Flash Media Server 3 and RTMPe to stream content to Flash
    player or AIR
  • Use SWF Verification
  • Disable the RTMP protocol in Flash Media Server 3 when RTMPe/RTMPs is
    used
  • if a CDN is being used, contact the CDN and ask to disable RTMP and
    enable SWF Verification

What is required to use RTMPe and SWF Verification?

RTMPe and SWF verification require Flash player 9.0.0.115 or
higher and Flash Media Server 3. The following list of clients and servers
provides a matrix of what you need

Clients:

  • Adobe Flash player 9,0,115 or higher (released December 2007)
  • Adobe AIR 1.0 or higher
  • Adobe Media Player

Server:

  • Adobe Flash Media Streaming Server 3  (released January 2008)
  • Adobe Flash Media Interactive Server 3 (released January 2008)
  • Content Delivery Network supporting FMS

Can Adobe software manage the rights of video content?

Yes.  Adobe has software that can rights-manage content on
the AIR platform with the Adobe Flash Media Rights Management Server.  
Alternatively, Flash Media Server or applications servers can be also be used
to restrict access to media content.  Token-based authentication is a common
practice for adding Access Control Layers.

What protection measures are supported by the Content
Delivery Networks
(CDNs)?

Most CDN’s today support Flash Media Server 3.  Adobe
suggests you contact your CDN representative to inquire about their support for
RTMPe and SWF Verification and blocking RTMP.

Where can you get more information about protecting
content delivered from Flash Media Server?

How can I be informed of security advisories related to Adobe
Flash Media Server and the Flash platform?

All
documented security vulnerabilities and their solutions are distributed through
the Adobe security notification service. You can sign up for the service at the
following URL: http://www.adobe.com/cfusion/entitlement/index.cfm?e=szalert. Users may also monitor the latest
information on the Adobe Product Security Incident Response Team blog.

You can also access the Adobe Security Advisory website.

uStream.tv delivers live video from the Republican National Convention via Google using Flash

USA is showing off its democracy strength once again. Being from Canada I find USA politics interesting, although my only participation is trying to convince my colleagues to vote one way or the other. However, I find people in this country are so engaged with the voting process. Canada has a much different political system then the USA and the new online experiences certainly do and will affect the social engagement of democratic systems world wide. It’s great that you can now watch conventions like these world wide live on the internet. It’s even more exciting to see how Live Video publishing companies like uStream.tv can create an experience that leverages the social nature of the internet.

This week, uStream.tv is broadcasting the RNC live. The streams can be emedded in any HTML site and today appear on Google News plus 100’s of other websites and blogs. You can use basic embed code to add it to your blog like I am doing below. Unlike other “similar” conventions you don’t need to download anything, and you can start watching quickly through many different syndication channels. uStream.tv chose Flash Media Server to deliver the video. uStream.tv is also responsible for live streaming from the Democratic National Convention (DNC) with Dailykos.com.

This is a trend I believe we will see grow in 2008, and through 2009. Leveraging the power of the people to distribute interesting Live content, then archive it for ever.
http://www.ustream.tv/flash/live/272800
<!–
–>