#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2008
    Posts
    58
    Rep Power
    16

    Should I hide the rtmp path?


    This script that I'm using, on a web page, allows a web page visitor to record a video, via his webcam. However, the script shows the rtmp path.

    I was told that "rtmp must be kept secure at all times or anyone can use it"
    but I'm not clear on how someone can use it and why it must be secure.

    Can you help clarify why this is a risk?

    Here is the code showing the rtmp path (example):


    Code:
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
    <head>
    <title>recorder</title>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <script type="text/javascript" src="js/swfobject.js"></script>
    </head>
    
    <body bgcolor="#ffffff">
    <div id="recorder"></div>
    
    
    <script type="text/javascript">
    // <![CDATA[
    var so = new SWFObject("recorder.swf", "recorder", "620", "470", "9", "#000000");
    so.addParam('flashvars','filename=Video&rtmpPath=rtmp://67.xxx.xxx.xxx/vid/&finishURL=player.html')
    so.write("recorder");
    // ]]>
    </script>
    </body>
    </html>
    If it should be kept secure, is there a solution to keeping it hidden or secure?
  2. #2
  3. No Profile Picture
    Gotta get to the next screen..
    Devshed Supreme Being (6500+ posts)

    Join Date
    Nov 2003
    Location
    Legion of Dynamic Discord
    Posts
    6,678
    Rep Power
    3165
    I think the replies you got in your sitepoint thread covered it pretty well. The only real reason to hide the path is so that someone else can't put it on their own page. You can't really hide the path though since anyone with a HTTP sniffer can see what addresses are being called from your page.

    By "Keeping it secure" I'm assuming they mean that you have set the correct permissions on the server so that server scripts can access the path but anonymous users can't. That's really more down to the RTMP server you are using as well as the actual web host. The RTMP server (like Red5) will probably have more documentation on how to secure your installation.
    Quis custodiet ipsos custodes?
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2008
    Posts
    58
    Rep Power
    16

    thanks


    Thanks for your reply.

    Just to clarify, you stated "The only real reason to hide the path is so that someone else can't put it on their own page",

    by "it' do you mean "The only real reason to hide the path is so that someone else can't put the path on their own page"?

    If they put the path on their page, how would that be a problem? I'm not clear on this. Any additional clarity would be appreciated.
  6. #4
  7. No Profile Picture
    Gotta get to the next screen..
    Devshed Supreme Being (6500+ posts)

    Join Date
    Nov 2003
    Location
    Legion of Dynamic Discord
    Posts
    6,678
    Rep Power
    3165
    By "it" I am referring to this link from your code:

    rtmp://67.xxx.xxx.xxx/vid/&finishURL=player.html

    If I knew the full address then I could put that same link on my page. Of course then I'd have to write my own stuff to handle your streaming system. I don't have any knowledge about rtmp specifically, I'm just talking about things in general. When they said you should lock down rtmp they probably meant you should check that the security is adequate both on your server and within your streaming system. You wouldn't want somebody to gain access to your media server and start using it for their own means. Immediate consquences apart from your server being compromised would be that they would also be stealing processing power and bandwidth from your genuine users.

    To be ultra sure you should really ask in the forum for the software you have chosen to use as that will have the highest concentration of users skilled in that specific package.
    Quis custodiet ipsos custodes?

IMN logo majestic logo threadwatch logo seochat tools logo