AVChat  is pretty secure out of the box, however, there are steps you and your developers can take to make your AVChat installation even more secure. We have now grouped these steps in a NEW SERVICE we’ll offer called Secure your AVChat installation.  The service is priced at $199.  We will annalyze your AVChat and media server  installation and propose/implement security measures against a broad range of attacks.

These are some of the measures we will take:

  • Secure the data exchange  between the clients and the media server by using rtmpe or rtmps instead of plain rtmp.
    RTMPS communication leverages the proven security of SSL to wrap your RTMP session. RTMPE-based communication offers some of the benefits of RTMPS, but not all. It trades performance and certificate-less communication for being a versioned protocol under private Adobe control, rtmpe is only available with Wowza and FMIS not with Red5.
  • Secure connections to the media server by configuring and activating the token authentication mechanism in AVChat (will be available/detailed in the August build).
    The token based authentication ensures that only swf files from your web server are allowed to connect to your media server. To use it you need to manually configure and activate it.
  • Secure the streams from being rebroadcasted.
    We can do that by placing a watermark/logo over them (see the watermarkForOtherPeoplesStreams var in avc_settings.xxx).
  • Secure the admin AVChat’s area by limiting the ip’s from which admins can connect.
    AVChat  allows you to limit the ip from which admins are allowed to connect trough admin.swf  (seethe adminsAllowedFromTheseIps var in settings.asc on FMIS and avchat3.properties on Red5 and Wowza)
  • SWF verification (FMIS only)
    Turning on and configuring swf verification on FMIS ensures that custom swf files (with altered or additional functioanlity, etc…) will never be able to connect to YOUR media server.
  • Secure upload/download process
    The sending of files to rooms and individual users can be further secured by moving the upload folder to a non-public area on the web server.
  • Secure access to some  scripts on the web server.
    Writeuserslist.xxx and  other scripts are only called/executed by the media server. It’s safe then to make them execute only when called by the media server (and not when called from a web browser) .
  • Remove any unneeded media server applications
    Both Red5 and FMIS ship with default applications, we’ll consider removing them to no longer allow the permissive and well-known sample applications to run and be exploited.

Most of these measures can also be taken/implemented by you or your developers and we will try to post detailed information on each one of the above steps.

Securing such a complex product needs a lot of thinking as there are a lot of angles a hacker can take to attempt to disrupt the normal activity in the video chat.

3 thoughts on “New Service: “Secure your AVChat installation”

  1. thegreatest says:

    Great service. Your instructions on this are needed badly to close some of the security holes. Make sure you don´t put your clients on risk when posting detailed instructions here.
    But anyways there is much more additional out-of-the-box security required. You need to keep working hard on that matter or customers will choose another more secure chat software.

  2. mugabe says:

    Are you kidding with your “AVChat is pretty secure out of the box”???
    I see _several_ times in your installation instructions to `chmod 777`. You, sir, are a joke.

    1. Octavian says:

      The only folders that are chmoded to 777 are the folders where files are being uploaded and the media server app. If someone has so much access to your server that he can access the 777 folders then you’re in a whole new league of trouble.

      Securing AVChat (and anything else really) is about much more than properly chmoding some folders.
      We have not had 1 security incident where the way those folders were chmoded was the issue!

Leave a Reply

Your email address will not be published. Required fields are marked *