Starting with build 900, AVChat 3 introduces a new security feature called “token based authentication”. When enabled this prevents 3’rd party swf files (hosted on other web sites than your own or by malicious users) to connect to your media server. There are other security measures in place to prevent this however token based authentication is the most secure!
This feature is turned off by default because with it enabled:
- it takes slightly more time for users to connect to the media server,
- it might cause some connection attempts to the media server over slow Internet connections to fail
- we’ve only had a few clients that really needed this feature!
How o turn it on:
- install AVChat
- edit the settings file on the media server (avchat3.properties on Red5 and Wowza, settings.asc on FMIS)
- set the value of the tokenUrlLocation variable to the absolute url to token_verify.php (token_verify.php is in the folder where you installed AVChat on your website, good example: http://avchat.net/demos/av30/token_verify.php)
- restart the media server
AVChat is pretty secure out of the box, however, there are steps you and your developers can take to make your AVChat installation even more secure. We have now grouped these steps in a NEW SERVICE we’ll offer called Secure your AVChat installation. The service is priced at $199. We will annalyze your AVChat and media server installation and propose/implement security measures against a broad range of attacks.
These are some of the measures we will take:
- Secure the data exchange between the clients and the media server by using rtmpe or rtmps instead of plain rtmp.
RTMPS communication leverages the proven security of SSL to wrap your RTMP session. RTMPE-based communication offers some of the benefits of RTMPS, but not all. It trades performance and certificate-less communication for being a versioned protocol under private Adobe control, rtmpe is only available with Wowza and FMIS not with Red5.
- Secure connections to the media server by configuring and activating the token authentication mechanism in AVChat (will be available/detailed in the August build).
The token based authentication ensures that only swf files from your web server are allowed to connect to your media server. To use it you need to manually configure and activate it.
- Secure the streams from being rebroadcasted.
We can do that by placing a watermark/logo over them (see the watermarkForOtherPeoplesStreams var in avc_settings.xxx).
- Secure the admin AVChat’s area by limiting the ip’s from which admins can connect.
AVChat allows you to limit the ip from which admins are allowed to connect trough admin.swf (seethe adminsAllowedFromTheseIps var in settings.asc on FMIS and avchat3.properties on Red5 and Wowza)
- SWF verification (FMIS only)
Turning on and configuring swf verification on FMIS ensures that custom swf files (with altered or additional functioanlity, etc…) will never be able to connect to YOUR media server.
- Secure upload/download process
The sending of files to rooms and individual users can be further secured by moving the upload folder to a non-public area on the web server.
- Secure access to some scripts on the web server.
Writeuserslist.xxx and other scripts are only called/executed by the media server. It’s safe then to make them execute only when called by the media server (and not when called from a web browser) .
- Remove any unneeded media server applications
Both Red5 and FMIS ship with default applications, we’ll consider removing them to no longer allow the permissive and well-known sample applications to run and be exploited.
Most of these measures can also be taken/implemented by you or your developers and we will try to post detailed information on each one of the above steps.
Securing such a complex product needs a lot of thinking as there are a lot of angles a hacker can take to attempt to disrupt the normal activity in the video chat.