AVChat is pretty secure out of the box, however, there are steps you and your developers can take to make your AVChat installation even more secure. We have now grouped these steps in a NEW SERVICE we’ll offer called Secure your AVChat installation. The service is priced at $199. We will annalyze your AVChat and media server installation and propose/implement security measures against a broad range of attacks.
These are some of the measures we will take:
- Secure the data exchange between the clients and the media server by using rtmpe or rtmps instead of plain rtmp.
RTMPS communication leverages the proven security of SSL to wrap your RTMP session. RTMPE-based communication offers some of the benefits of RTMPS, but not all. It trades performance and certificate-less communication for being a versioned protocol under private Adobe control, rtmpe is only available with Wowza and FMIS not with Red5.
- Secure connections to the media server by configuring and activating the token authentication mechanism in AVChat (will be available/detailed in the August build).
The token based authentication ensures that only swf files from your web server are allowed to connect to your media server. To use it you need to manually configure and activate it.
- Secure the streams from being rebroadcasted.
We can do that by placing a watermark/logo over them (see the watermarkForOtherPeoplesStreams var in avc_settings.xxx).
- Secure the admin AVChat’s area by limiting the ip’s from which admins can connect.
AVChat allows you to limit the ip from which admins are allowed to connect trough admin.swf (seethe adminsAllowedFromTheseIps var in settings.asc on FMIS and avchat3.properties on Red5 and Wowza)
- SWF verification (FMIS only)
Turning on and configuring swf verification on FMIS ensures that custom swf files (with altered or additional functioanlity, etc…) will never be able to connect to YOUR media server.
- Secure upload/download process
The sending of files to rooms and individual users can be further secured by moving the upload folder to a non-public area on the web server.
- Secure access to some scripts on the web server.
Writeuserslist.xxx and other scripts are only called/executed by the media server. It’s safe then to make them execute only when called by the media server (and not when called from a web browser) .
- Remove any unneeded media server applications
Both Red5 and FMIS ship with default applications, we’ll consider removing them to no longer allow the permissive and well-known sample applications to run and be exploited.
Most of these measures can also be taken/implemented by you or your developers and we will try to post detailed information on each one of the above steps.
Securing such a complex product needs a lot of thinking as there are a lot of angles a hacker can take to attempt to disrupt the normal activity in the video chat.