Ready to use – Red5 streamer with stream security


As RTMP continues to grow, and Red5 triumphs as the only open source RTMP server alive, there are concerns to protect your application from misuse. The following red5 application implements stream security for both playback and publishing.

You can edit the files – allowedHTMLdomains.txt and allowedSWFdomains.txt and add the domain names that you want to be able to playback/publish using your application. Each domain name must be added in a  new line.

The application also lets you allow/disallow publishing entirely. To do so edit the file red5-web.xml and set enable publish as true/false according to your needs:

<bean class="org.red5.core.security.PublishSecurity" init-method="init" id="publishSecurity">
<property name="application" ref="web.handler" />
<property name="htmlDomains" value="/WEB-INF/allowedHTMLdomains.txt" />
<property name="swfDomains" value="/WEB-INF/allowedSWFdomains.txt" />
<property name="publishNames" value="/WEB-INF/allowedPublishNames.txt" />
<property name="enablePublish" value="true" />
</bean>

You can also set stream publish security by defining specif stream names that are allowed for recording/broadcasting in the file allowedPublishNames.txt

Note : putting a * in any of the three security files will disable security for the particular context. Eg: Putting a * in allowedPublishNames.txt means that stream check is disabled.

This application is created for a quick and easy deployment, with guidance from red5.org.

Download:

Customstreamer_domaincontrol_source_0.8

Customstreamer_domaincontrol_deployable_0.8 [rtmp application name: domaincontrol]

Or generate your own with Red5 – Online Application Generator

August 26, 2010  Tags: , , , , ,   Posted in: Java, RTMP, Red5  One Comment

Hacking Private Channels Of Ustream

Recently working on a custom player implementaion on ustream.com using their api, i found a huge loophole that i would like to share.  Ustream lets you create public/private channels and then broadcast on them using fmle or swf based publisher. Private channels can be password protected, so only people with right password can view it. But here is the catch !! The password based security system is pretty invalid in itself.

While programming on the platform i noticed that the player uses amf protocol to send receive data to server.  So here is how you can hack any one’s private channel (password protected).

1.  Go to https://addons.mozilla.org/en-US/firefox/addon/1843/ and install firebug extension for firefox.

2.  Go to the page which hosts the private channel and open the firebug debug panel. Make sure you have enabled the Net panel.

Firebug NetPanel

3.  Next without much effort if you see you will notice that, while going through the requests made by the site to ustream, the amf call with the password tagged to it is very clearly visible.

Password Reveal

So there you have it both channel id and password for the stream !. Not so protected is it now ? :)

August 13, 2010  Tags: , , ,   Posted in: General  5 Comments

Red5 Remoting

Remoting a facility by which a client can call a server method in a  request response fashion. Unlike RTMP remoting services are performed using AMF over HTTP/HTTPS. Red5 can act as both a RTMP server as well as a HTTP/HTTPS remoting server. Remoting enables non rtmp clients to access Red5 methods.  A very practical approach would be to request chat room user count for example. Using remoting you can request such data without consuming too much server resources as in a RTMP connection. You can also create chat programs with simple amf-polling as well. Remoting also lets you sync data types over both ends (client-server) Read the rest of this post »

August 3, 2010  Tags: , , , ,   Posted in: Java, Red5  No Comments

Justice Prevails – “Apple the new world leader in software insecurity”


Even as the current market for Adobe Flash soars sky high, we cant forget what Adobe went through a little while back, taking backlash from Apple. Riding on waves of iPhone/iPad success, the company had completely forgotten a very simple thing. “What you throw at others, comes back at you one day.Read the rest of this post »

July 23, 2010  Tags: , ,   Posted in: General  No Comments


>