Replay Media Catcher and the nc.verifyClient method
Posted by Jay Charles | Filed under Flash Platform
I recently helped someone (on the Adobe FMS support forum) who was having a problem with Replay Media Catcher being able to steal video content from what was assumed to be a protected FMS application. I’ve decided this one is worthy of a blog post, as it may help some others who find themselves same situation.
Not long ago, Kevin Towes posted a whitepaper outlining methods to use for verifying clients connecting to Flash Media Server. A focus of this whitepaper is how to prevent Replay Media Catcher and other RTMP “rippers” from consuming video from an FMS application. One of the methods described is to use a remote method invocation, whereby the server calls out the client with a random string or series of numbers, and the client returns that string to the server (see page 25 of the whitepaper for the sample code).
It seems that the developers of Replay Media Catcher read that whitepaper, came to the conclusion that lots of people would just copy and paste the sample code, and decided it would be in their interests to add a method named “verifyClient” to Replay. If you use the sample code from the whitepaper as-is, Replay will be able to defeat your protection.
The fix is a simple one… don’t use verifyClient as the method name. Just change it to something else, like nc.replayCantStealMyVideo (but don’t use that either… the Replay developers might be reading this right now and adding it to their code).
Link to the whitepaper: http://www.adobe.com/devnet/flashmediaserver/articles/protecting_video_fms.pdf