There has been some speculation recently, questioning how media
can be protected when it’s delivered to customer applications built on Adobe
Flash or Adobe AIR, specifically when it’s streamed from Adobe Flash Media
Server (FMS). An article published by Reuters on September 19th,
2008 has incorrectly stated that a security “flaw” exists in Adobe Flash Media
Server software. I feel it is important for our customers and users to receive
clarification given that the claims are factually incorrect.
The article states: “software
doesn’t encrypt online content, but only orders sent to a video player such as
start and stop play,” and continues, “To boost download speeds, Adobe
dropped a stringent security feature that protects the connection between the
Adobe software and its players.”
This statement is inaccurate. All information transferred
between client and server is encrypted when using RTMPe, not only the commands
to start and stop play. No compromise has been made in the server software to
boost speeds or security as claimed by the article.
The article also claims “…in
tests by Reuters, at least one program to record online video, the Replay Media
Catcher from Applian Technologies, recorded movies from Amazon and other sites
that use Adobe’s encryption technology together with its video player
Amazon has enabled the protection mechanisms provided by
Adobe software and movies cannot be recorded. Adobe provides various methods
for content owners to securely deliver content to Flash platform. Flash Media
Server supports methods to completely encrypt all communication between player
and server, restrict delivery of streams to video players created by content
owners, enforce access controls like domain, geo filtering, secure tokens, etc.
Content delivered from Flash Media Server (encrypted or unencrypted) will also
leave no artifact on the disk that malicious software can capture.
I hope the following information will help clear up the
inaccuracies and claims from the story.
Is there a hole in Adobe Flash Media Server?
Adobe Flash Media Server software does not have a technology flaw or hole.
Adobe provides the software and technology that enables customers to deliver
content over multimedia streaming protocols; Real Time Messaging Protocol RTMP
(Unencrypted) or Real Time Messaging Protocol Encrypted RTMPe. To protect content
we recommend customers using Adobe Flash Media Server software utilize RTMPe or
RTMPte (tunneled version) combined with SWF verification to provide maximum
content protection and also disable RTMP access. Adobe provides these content
protection technology but it is the choice of the developer, the content owner
and the delivery network manager to implement. Adobe works closely with all
CDN partners to inform and implement these solutions in their networks. We
also supply numerous examples of content protection through the Adobe Developer
Is content delivered through Flash Media Server encrypted?
Yes, When using RTMPe, RTMPte or RTMPs protocols, Flash
Media Server (FMS) encrypts all data that is exchanged between the Flash
player/AIR or Flash Lite and Flash Media Server.
If content is encrypted, then how can malicious software
“capture” the media?
Software, such as Applian Media Catcher masquerades as a
Flash Player and connects to Flash Media Server and requests for the stream
using RTMP protocol (unencrypted). If FMS or the CDN is configured to deliver
content over RTMP, the malicious software is able to capture the stream. If FMS
and the client is configured to deliver media encrypted using RTMPe than
software will not be able to capture the stream. If video player
identification ( swf verification) is enabled in FMS or at the CDN, Applian Media
Catcher will not be able to capture video streams for both RTMPe and RTMP.
Why can stream rippers capture some content but not
Flash developers, content owners and IT managers have the
control to enable RTMPe and SWF Verification on video players running on Flash
player or AIR. Content Delivery Networks (CDNs) offer support for RTMPe and
SWF Verification at their discretion. Content can also be delivered to Flash player,
AIR or Flash Lite from a web server (HTTP) or through RTMP without swf
verification or session authorization, this could expose the media to malicious
If you would like to use these features of Flash Media
Server, you can refer to the Content Protection whitepaper or contact your CDN representative.
Does Adobe make compromises in content protection to
No. Both the integrity of security and performance are of top concern at
Adobe. Flash Media Server 3 added significant performance increases and also
introduced the new RTMPe protocol.
How do I make sure I am doing all I can to keep my content
Content can be protected from the packet replay technology
when streaming from Flash Media Server. Adobe is encouraging all content
- Use Adobe Flash Media Server 3 and RTMPe to stream content to Flash
player or AIR
- Use SWF Verification
- Disable the RTMP protocol in Flash Media Server 3 when RTMPe/RTMPs is
- if a CDN is being used, contact the CDN and ask to disable RTMP and
enable SWF Verification
What is required to use RTMPe and SWF Verification?
RTMPe and SWF verification require Flash player 188.8.131.52 or
higher and Flash Media Server 3. The following list of clients and servers
provides a matrix of what you need
- Adobe Flash player 9,0,115 or higher (released December 2007)
- Adobe AIR 1.0 or higher
- Adobe Media Player
- Adobe Flash Media Streaming Server 3 (released January 2008)
- Adobe Flash Media Interactive Server 3 (released January 2008)
- Content Delivery Network supporting FMS
Can Adobe software manage the rights of video content?
Yes. Adobe has software that can rights-manage content on
the AIR platform with the Adobe Flash Media Rights Management Server.
Alternatively, Flash Media Server or applications servers can be also be used
to restrict access to media content. Token-based authentication is a common
practice for adding Access Control Layers.
What protection measures are supported by the Content
Delivery Networks (CDNs)?
Most CDN’s today support Flash Media Server 3. Adobe
suggests you contact your CDN representative to inquire about their support for
RTMPe and SWF Verification and blocking RTMP.
Where can you get more information about protecting
content delivered from Flash Media Server?
- Tech Advisory on Media Replay and RTMPE (Release August 29th, 2008)
- Content Protection Whitepaper
- FMS 3 Whitepaper (Released January 20008)
- Adobe Developer Connection
How can I be informed of security advisories related to Adobe
Flash Media Server and the Flash platform?
documented security vulnerabilities and their solutions are distributed through
the Adobe security notification service. You can sign up for the service at the
following URL: http://www.adobe.com/cfusion/entitlement/index.cfm?e=szalert. Users may also monitor the latest
information on the Adobe Product Security Incident Response Team blog.
You can also access the Adobe Security Advisory website.