Is swf verification useless?

[uthsteve]

Hi,

I know this is a strange place to ask security related questions about streams, but I figured who would know more than people who bypass this stuff everyday

I'm looking into some minimal security for some streams and I was reading up on swf verification. The streams in question are RTMP and are run off of Flash Media Server 3.0+

My understanding of swf verification is that you copy your swf files and place them in the swffolder and enable swf verification. Then every time you connect to a stream it checks to see if it is from the same swf, based on filename and size?

I'm using Flowplayer, so in my mind all someone has to do is look what version of Flowplayer the site is using and then ploop it in their site and it should be a valid swf. Even if I was using my own custom swf, isn't is possible to download swf files?

[svnpenn]

Quote:

Originally Posted by Adobe

(swf verification) ensures that only your SWF or AIR files can connect to your application or content on Flash Media Server.

This is false. The correct interpretation is:

Quote:

If anyone can obtain the publicly-available SWF or AIR file (or a hash of it, and knows the SWF or AIR file's size) they can also connect to your application or content.

Bottom line: All the information required to obtain the content is
publicly available. There is no "security".

http://lkcl.net/rtmp

You'd be better off looking at HTTP Dynamic Streaming I think.

[uthsteve]

Ya, that's exactly what I thought... Anyone can download a swf from a website. Even worse if you use a popular third-party video player where the user just has to download the same version as you.