Skip to main content
N
Nick_WasDC
Participant
October 21, 2009
Question

FMSS live publishing access control

  • October 21, 2009
  • 1 reply
  • 1228 views

So here is my story..  It's part amusing, part sad.

We deployed FMDS 3 for a test deployment to live stream events.  We developed a video player for it.  We setup a system with FLE to publish a stream.  We setup the server to authenticate publishing the stream.  We tested fairly extensively.  Everyone loved it.  Video and audio quality was great, bandwidth usage was acceptable, and the demands it placed on operations and the teams publishing streams was low.

Based on this experience we purched the license to upgrade our development version to FMSS 3.  $995, not cheap, but completely reasonable.  Everyone was happy.  Things ran smoothly.  It was a totally successful project.  ROI on the way.

No one noticed that the access control suddenly wasn't working anymore, as it doesn't show an error loading the access module in the logs...  Live stream publishing worked, but it was working without any type of access control.  We even upgraded (read: paid) for FMSS 3.5 since we were so happy with how Adobe's solution worked for us.

Suddenly this afternoon, I noticed about 80Mbit of bandwidth being used to stream porno and soccer games.  Really..  Soccer and porno.

I dig deeper, and discover that access control for stream publishing simply wasn't working.  I completely re-install the server and FMSS 3.5, assuming some sort of credential theft or compromise had taken place.

I dig even deeper, and discover via these forums that no method of applying access control to live stream publishing exists.  The access module doesn't work for FMSS.  FMSS has no method for access control based on user/password credentials.  Not even based on IPs....  (http://forums.adobe.com/thread/100168)

Now, I am very sad.  I honestly am having trouble grasping this.  Does this product truly have no means of applying any type of access control to stream publishing?  If so, what application exactly is it designed for?  You can't put it on the Internet!  There is no way I have been able to find to prevent illicit (and possibly illegal) usage of a FMSS server.

Have I missed some technical solution to this problem?  Is this an oversigh that Adobe is addressing somehow?

If it's necessary to upgrade to FMIS to have basic access control, I don't understand why FMSS exists.  Also, given that our only interest is having a single live stream for events, the cost benifit simply isn't there for FMIS.  What is Adobe's official stance on this problem?  Nothing makes sense.

HELP!  I don't want to have to abandon this solution..   Its worked so well!

    This topic has been closed for replies.

    1 reply

    A
    Anonymous
    October 22, 2009

    Unfortunately, I don't think anything has changed since the post you linked to was opened. Given that the FMS product manager confirmed it there, I think it's safe to say you'll need to upgrade to FMIS.

    N
    Nick_WasDCAuthor
    Participant
    October 22, 2009

    As this stands right now, Adobe customers running FMSS server on the Internet have no means of restricting anyone on the Internet from publishing streams using their server.  This is simply unacceptable.  It is also completely at odds with this statement on Adobe's page selling FMSS under the "Security" header:

    http://www.adobe.com/products/flashmediastreaming/

    Adobe is committed to security. Continuously investing in protecting content, eliminating vulnerabilities, and preventing exploitations is a top priority. We have developed innovative ways to protect your content, including, for example, stream encryption with RTMPE, SWF verification, and the ability to create custom security solutions using domain restriction, user authentication, unique key/token handshakes, and dynamic access control. These security measures are robust but still unobtrusive, intuitive, and convenient to consumers.

    I want someone from Adobe to offically tell me that FMSS does not provide a way to restrict anyone on the Internet from publishing streams to my server before I call further attention to this oversight.

    There are only two options:

    1)  This is simply an oversight in the product strategy for FMSS and FMIS that Adobe needs to address.

    2)  A technical solution exists, but it is poorly documented and customers such as myself are unable to figure it out.

    I refuse to belive that Adobe would leave paying customers in a situation where they are unable to use an Adobe server product without being subject to theft of services.  This isn't about protecting copyrighted data or anything like that..  This is simply about being able to prevent people from outright stealing services from customers using Adobe server products.

    Curently, it is simply not safe to expose a licensed FMSS server to the Internet.

    A
    Anubis_mxy
    Participating Frequently
    October 23, 2009

    Hi All:

         It's not a problem , Because FMS has access control by some method .

         We also have a big FMS system , so I tell you some simple methods to resolve this question .

    1. you can use fms SWF verify function , get the info from fms document .
    2. develop a access plug , notice , not auth plug , because access plug can do more things . How does it work . you can check the URL with var in access plug ,and do what you want .
    3. write a main.asc for you fms app ,  and do the access control in you code logic . FMS app can communicate with other data service .

         I think the answer can help you .

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices