Are RTMPE and SWF Verification False Security?
Posted by Jay Charles | Filed under Flash Platform
A discussion today on the Flash Media Server List and a post on Stefan’s blog brought to my attention a DMCA takedown order Adobe issued to SourceForge, requesting that SourceForge remove the Rtmpdump project. The details about Rtmpdump and the takedown order are pretty well covered in the links… you can read in there if you want the nitty gritty on the story.
In most cases, this is the point where I’d fly into a rant about how open source fundamentalists need to realize that not everything is theirs… but that’s not the point of today’s post. If you’re in the mood for that part of the discussion, it’s pretty well handled at Slashdot.
What concerns me today is the information posted here and analysis posted here (written by someone who is clearly biased, but seemingly knowledgeable) suggests that neither RTMPE nor SWF Verification are not as secure as one might think.
The report suggests that all of the information required to compromise RTMPE and SWF Verification can be obtained from the publicly available .swf file alone. This is something I’ve always suspected of SWF Verification, but the idea that the same may be true of RTMPE is a bit disheartening.
It will be interesting to see how Adobe reacts to this. In the meantime, I’m not making any RTMPE recommendations (and feeling a bit relieved that I’ve never implemented RTMPE to satisfy critical security requirements on any past project).