« August 2008 | Main | October 2008 »
On Monday this week, Reuters published a more informed article about Adobe Flash Media Server software, and it's ability to provide adequate protection measures for media distribution to the Adobe Flash platform. This is a response to the many false statements made in a previous article published last Friday.
There has been some speculation recently, questioning how media can be protected when it’s delivered to customer applications built on Adobe Flash or Adobe AIR, specifically when it’s streamed from Adobe Flash Media Server (FMS). An article published by Reuters on September 19th, 2008 has incorrectly stated that a security “flaw” exists in Adobe Flash Media Server software. I feel it is important for our customers and users to receive clarification given that the claims are factually incorrect.
The article states: “software doesn't encrypt online content, but only orders sent to a video player such as start and stop play,” and continues, “To boost download speeds, Adobe dropped a stringent security feature that protects the connection between the Adobe software and its players.”
This statement is inaccurate. All information transferred between client and server is encrypted when using RTMPe, not only the commands to start and stop play. No compromise has been made in the server software to boost speeds or security as claimed by the article.
The article also claims “…in tests by Reuters, at least one program to record online video, the Replay Media Catcher from Applian Technologies, recorded movies from Amazon and other sites that use Adobe's encryption technology together with its video player verification.”
Amazon has enabled the protection mechanisms provided by Adobe software and movies cannot be recorded. Adobe provides various methods for content owners to securely deliver content to Flash platform. Flash Media Server supports methods to completely encrypt all communication between player and server, restrict delivery of streams to video players created by content owners, enforce access controls like domain, geo filtering, secure tokens, etc. Content delivered from Flash Media Server (encrypted or unencrypted) will also leave no artifact on the disk that malicious software can capture.
I hope the following information will help clear up the inaccuracies and claims from the story.
Is there a hole in Adobe Flash Media Server?
No. Adobe Flash Media Server software does not have a technology flaw or hole. Adobe provides the software and technology that enables customers to deliver content over multimedia streaming protocols; Real Time Messaging Protocol RTMP (Unencrypted) or Real Time Messaging Protocol Encrypted RTMPe. To protect content we recommend customers using Adobe Flash Media Server software utilize RTMPe or RTMPte (tunneled version) combined with SWF verification to provide maximum content protection and also disable RTMP access. Adobe provides these content protection technology but it is the choice of the developer, the content owner and the delivery network manager to implement. Adobe works closely with all CDN partners to inform and implement these solutions in their networks. We also supply numerous examples of content protection through the Adobe Developer Connection.
Is content delivered through Flash Media Server encrypted?
Yes, When using RTMPe, RTMPte or RTMPs protocols, Flash Media Server (FMS) encrypts all data that is exchanged between the Flash player/AIR or Flash Lite and Flash Media Server.
If content is encrypted, then how can malicious software “capture” the media?
Software, such as Applian Media Catcher masquerades as a Flash Player and connects to Flash Media Server and requests for the stream using RTMP protocol (unencrypted). If FMS or the CDN is configured to deliver content over RTMP, the malicious software is able to capture the stream. If FMS and the client is configured to deliver media encrypted using RTMPe than software will not be able to capture the stream. If video player identification ( swf verification) is enabled in FMS or at the CDN, Applian Media Catcher will not be able to capture video streams for both RTMPe and RTMP.
Why can stream rippers capture some content but not others?
Flash developers, content owners and IT managers have the control to enable RTMPe and SWF Verification on video players running on Flash player or AIR. Content Delivery Networks (CDNs) offer support for RTMPe and SWF Verification at their discretion. Content can also be delivered to Flash player, AIR or Flash Lite from a web server (HTTP) or through RTMP without swf verification or session authorization, this could expose the media to malicious capture
If you would like to use these features of Flash Media Server, you can refer to the Content Protection whitepaper or contact your CDN representative.
Does Adobe make compromises in content protection to increase performance?
No. Both the integrity of security and performance are of top concern at Adobe. Flash Media Server 3 added significant performance increases and also introduced the new RTMPe protocol.
How do I make sure I am doing all I can to keep my content safe?
Content can be protected from the packet replay technology when streaming from Flash Media Server. Adobe is encouraging all content owners to
What is required to use RTMPe and SWF Verification?
RTMPe and SWF verification require Flash player 9.0.0.115 or higher and Flash Media Server 3. The following list of clients and servers provides a matrix of what you need
Clients:
- Adobe Flash player 9,0,115 or higher (released December 2007)
- Adobe AIR 1.0 or higher
- Adobe Media Player
Server:
- Adobe Flash Media Streaming Server 3 (released January 2008)
- Adobe Flash Media Interactive Server 3 (released January 2008)
- Content Delivery Network supporting FMS
Can Adobe software manage the rights of video content?
Yes. Adobe has software that can rights-manage content on the AIR platform with the Adobe Flash Media Rights Management Server. Alternatively, Flash Media Server or applications servers can be also be used to restrict access to media content. Token-based authentication is a common practice for adding Access Control Layers.
What protection measures are supported by the Content Delivery Networks (CDNs)?
Most CDN’s today support Flash Media Server 3. Adobe suggests you contact your CDN representative to inquire about their support for RTMPe and SWF Verification and blocking RTMP.
Where can you get more information about protecting content delivered from Flash Media Server?
How can I be informed of security advisories related to Adobe Flash Media Server and the Flash platform?
All documented security vulnerabilities and their solutions are distributed through the Adobe security notification service. You can sign up for the service at the following URL: http://www.adobe.com/cfusion/entitlement/index.cfm?e=szalert. Users may also monitor the latest information on the Adobe Product Security Incident Response Team blog.
You can also access the Adobe Security Advisory website.
USA is showing off its democracy strength once again. Being from Canada I find USA politics interesting, although my only participation is trying to convince my colleagues to vote one way or the other. However, I find people in this country are so engaged with the voting process. Canada has a much different political system then the USA and the new online experiences certainly do and will affect the social engagement of democratic systems world wide. It’s great that you can now watch conventions like these world wide live on the internet. It’s even more exciting to see how Live Video publishing companies like uStream.tv can create an experience that leverages the social nature of the internet.
This week, uStream.tv is broadcasting the RNC live. The streams can be emedded in any HTML site and today appear on Google News plus 100’s of other websites and blogs. You can use basic embed code to add it to your blog like I am doing below. Unlike other “similar” conventions you don’t need to download anything, and you can start watching quickly through many different syndication channels. uStream.tv chose Flash Media Server to deliver the video. uStream.tv is also responsible for live streaming from the Democratic National Convention (DNC) with Dailykos.com.
This is a trend I believe we will see grow in 2008, and through 2009. Leveraging the power of the people to distribute interesting Live content, then archive it for ever.
http://www.ustream.tv/flash/live/272800