Dal Blog ufficiale Adobe:
Per chi è virtuoso e ha voglia di leggere, in poche parole mettono la mano sul fuoco che non hanno buchi e che se si vuole si può settare tutto per non far registrare.
Encryption and Streaming Media protection to Adobe Flash
There has been some speculation recently, questioning how media can be protected when it’s delivered to customer applications built on Adobe Flash or Adobe AIR, specifically when it’s streamed from Adobe Flash Media Server (FMS). An article published by Reuters on September 19th, 2008 has incorrectly stated that a security “flaw” exists in Adobe Flash Media Server software. I feel it is important for our customers and users to receive clarification given that the claims are factually incorrect.
The article states: “software doesn't encrypt online content, but only orders sent to a video player such as start and stop play,” and continues, “To boost download speeds, Adobe dropped a stringent security feature that protects the connection between the Adobe software and its players.”
This statement is inaccurate. All information transferred between client and server is encrypted when using RTMPe, not only the commands to start and stop play. No compromise has been made in the server software to boost speeds or security as claimed by the article.
The article also claims “…in tests by Reuters, at least one program to record online video, the Replay Media Catcher from Applian Technologies, recorded movies from Amazon and other sites that use Adobe's encryption technology together with its video player verification.”
Amazon has enabled the protection mechanisms provided by Adobe software and movies cannot be recorded. Adobe provides various methods for content owners to securely deliver content to Flash platform. Flash Media Server supports methods to completely encrypt all communication between player and server, restrict delivery of streams to video players created by content owners, enforce access controls like domain, geo filtering, secure tokens, etc. Content delivered from Flash Media Server (encrypted or unencrypted) will also leave no artifact on the disk that malicious software can capture.
I hope the following information will help clear up the inaccuracies and claims from the story.
Is there a hole in Adobe Flash Media Server?
No. Adobe Flash Media Server software does not have a technology flaw or hole. Adobe provides the software and technology that enables customers to deliver content over multimedia streaming protocols; Real Time Messaging Protocol RTMP (Unencrypted) or Real Time Messaging Protocol Encrypted RTMPe. To protect content we recommend customers using Adobe Flash Media Server software utilize RTMPe or RTMPte (tunneled version) combined with SWF verification to provide maximum content protection and also disable RTMP access. Adobe provides these content protection technology but it is the choice of the developer, the content owner and the delivery network manager to implement. Adobe works closely with all CDN partners to inform and implement these solutions in their networks. We also supply numerous examples of content protection through the Adobe Developer Connection.
Is content delivered through Flash Media Server encrypted?
Yes, When using RTMPe, RTMPte or RTMPs protocols, Flash Media Server (FMS) encrypts all data that is exchanged between the Flash player/AIR or Flash Lite and Flash Media Server.
If content is encrypted, then how can malicious software “capture” the media?
Software, such as Applian Media Catcher masquerades as a Flash Player and connects to Flash Media Server and requests for the stream using RTMP protocol (unencrypted). If FMS or the CDN is configured to deliver content over RTMP, the malicious software is able to capture the stream. If FMS and the client is configured to deliver media encrypted using RTMPe than software will not be able to capture the stream. If video player identification ( swf verification) is enabled in FMS or at the CDN, Applian Media Catcher will not be able to capture video streams for both RTMPe and RTMP.
Why can stream rippers capture some content but not others?
Flash developers, content owners and IT managers have the control to enable RTMPe and SWF Verification on video players running on Flash player or AIR. Content Delivery Networks (CDNs) offer support for RTMPe and SWF Verification at their discretion. Content can also be delivered to Flash player, AIR or Flash Lite from a web server (HTTP) or through RTMP without swf verification or session authorization, this could expose the media to malicious capture
If you would like to use these features of Flash Media Server, you can refer to the Content Protection whitepaper or contact your CDN representative.
Does Adobe make compromises in content protection to increase performance?
No. Both the integrity of security and performance are of top concern at Adobe. Flash Media Server 3 added significant performance increases and also introduced the new RTMPe protocol.
How do I make sure I am doing all I can to keep my content safe?
Content can be protected from the packet replay technology when streaming from Flash Media Server. Adobe is encouraging all content owners to
* Use Adobe Flash Media Server 3 and RTMPe to stream content to Flash player or AIR
* Use SWF Verification
* Disable the RTMP protocol in Flash Media Server 3 when RTMPe/RTMPs is used
* if a CDN is being used, contact the CDN and ask to disable RTMP and enable SWF Verification
What is required to use RTMPe and SWF Verification?
RTMPe and SWF verification require Flash player 9.0.0.115 or higher and Flash Media Server 3. The following list of clients and servers provides a matrix of what you need
Clients:
* Adobe Flash player 9,0,115 or higher (released December 2007)
* Adobe AIR 1.0 or higher
* Adobe Media Player
Server:
* Adobe Flash Media Streaming Server 3 (released January 2008)
* Adobe Flash Media Interactive Server 3 (released January 2008)
* Content Delivery Network supporting FMS
Can Adobe software manage the rights of video content?
Yes. Adobe has software that can rights-manage content on the AIR platform with the Adobe Flash Media Rights Management Server. Alternatively, Flash Media Server or applications servers can be also be used to restrict access to media content. Token-based authentication is a common practice for adding Access Control Layers.
What protection measures are supported by the Content Delivery Networks (CDNs)?
Most CDN’s today support Flash Media Server 3. Adobe suggests you contact your CDN representative to inquire about their support for RTMPe and SWF Verification and blocking RTMP.
Where can you get more information about protecting content delivered from Flash Media Server?
* Tech Advisory on Media Replay and RTMPE (Release August 29th, 2008)
* Content Protection Whitepaper
* FMS 3 Whitepaper (Released January 20008)
* Adobe Developer Connection
How can I be informed of security advisories related to Adobe Flash Media Server and the Flash platform?
All documented security vulnerabilities and their solutions are distributed through the Adobe security notification service. You can sign up for the service at the following URL:
http://www.adobe.com/cfusion/entitlemen ... ?e=szalert. Users may also monitor the latest information on the Adobe Product Security Incident Response Team blog.
You can also access the Adobe Security Advisory website.
replay media catcher mi sembra ancora la soluzione pero' bisognerebbe provarlo con il nuovo player e soprattutto sotto winxp e non vista!
.