On Tue, Mar 9, 2010 at 14:23, Iain Wallace <[email protected]> wrote:
> It's the access to the referrer part that I don't understand. Why is > it any harder for an invalid client to access it than a valid one? > This is locking the door and then putting the key under the mat. Once > everyone realises where the key is it's all a bit trivial. You'd have > to put completely different protection on the referrer file itself. Not really. Think of the situation where the media is served from a CDN but the player SWF (i.e., the referrer) is behind a paywall. SWF Verification allows the CDN to have a list of keys which are known-good, and so be (slightly) confident that only those successfully hitting the media have authenticated themselves properly to access the SWF, without needing to build some sort of federated auth system on the CDN. This is, obviously, contingent on nobody with legitimate access to either the SWF or the content redistributing it, but that’s not the problem it’s intended to solve. Also, it all rather depends upon what you define as an “invalid” client: is something which properly implements the protocol and whose user has legitimate access to the SWF a valid or an invalid client? If the answer isn’t “valid”, SWF Verification isn’t the solution you’re looking for. I’m not actually defending SWF Verification, incidentally. But, from what I can gather from various people “in the industry” (plus, of course, Adobe’s legal threats), there’s a huge amount of misunderstanding as to what it actually _is_, which means it gets deployed in ridiculous situations. (Simple example: if the “authentication” layer for your SWF is GeoIP-driven restrictions, and those same restrictions exist on the CDN, implementing SWF Verification is pointless, because those denied from accessing the SWF are *already* defined from accessing the media). >> On an _utterly_ unrelated note, isn’t it weird how Red5 can happily >> implement SWF Verification on the server side, but XBMC apparently >> can’t on the client? > > Quite. Padlocks are legal but lock picks are "going equipped" in > British law, but only if you wander around with them. Except that implementing SWF Verification in XBMC wouldn’t be anything like having a lock pick. It’s more like having fingers which can grasp a key—you still need the key (the SWF, in this now slightly tortuous analogy!). M. - Sent via the backstage.bbc.co.uk discussion group. To unsubscribe, please visit http://backstage.bbc.co.uk/archives/2005/01/mailing_list.html. Unofficial list archive: http://www.mail-archive.com/[email protected]/
