[Red5] Is there any way to restrict connections by httprefererlike the vhost.xml <Allow> tag in FMS?

[Walter Tak]

It is a simple solution that isn't waterproof. But it's better than having a non-protected swf that can be copied to any domain and is able to connect to your red5 server.

A simple check between swf, script and red5 would stop the 99% freeloaders and that was the idea.

For mission critical apps I'd recommend some challenge-response system and tokens that can only be issued once and expire after a few minutes. Then only man-in-the-middle attacks are possible and session-hijacking, but I don't consider hijacking a real problem for most applications since not so many ppl are able to snif YOUR connection to a remote Red5 server. (only network-admins can do that on your company/school-lan and on the receiving red5-server-lan at the ISP).

Regards,
Walter


  ----- Original Message ----- 
  From: Dan Rossi 
  To: red5 at osflash.org 
  Sent: Friday, February 15, 2008 1:36 PM
  Subject: Re: [Red5] Is there any way to restrict connections by httprefererlike the vhost.xml <Allow> tag in FMS?




  On 15/02/2008, at 11:12 PM, Walter Tak wrote:


    Why don't you send a "secret password" from the swf to Red5 so Red5 can verify that it's really one of your own swf's that's calling/using Red5 ?


  Flash is sniffable ? Thats why there should be a token system somehow put in place. I tried but i cannot figure out session handling yet. 

-- 
I am using the free version of SPAMfighter for private users.
It has removed 206 spam emails to date.
Paying users do not have this message in their emails.
Get the free SPAMfighter here: http://www.spamfighter.com/len
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://osflash.org/pipermail/red5_osflash.org/attachments/20080215/31131bb0/attachment.html