HORAAY! I agree. White hats are ok but if you hit a homerun app and have a ton of people using Red 5 server on or worse off site managed/unmanaged - this could attract black hats. And is the reason we have not made our live video share public yet.
Last week I had to add md5 to admin login etc to an open source project config file (sitting exposed out on the edge) because the developer community did not think of security. I think everyone is so into getting app's to work and your all so friendly to each other - you forget black hats are out there to cause havoc. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Interalab Sent: Tuesday, May 15, 2007 5:39 AM To: [email protected] Subject: Re: [Red5] Red5 showcase: spreed.com IMHO, security is becoming an important issue. Up to now, we haven't spent any time applying security or hiding shared objects or connection strings, etc. But, we just had to shut down our test server between tests because we found that someone had spent the time to look at our test apps and started connecting to our server. It didn't look malicious, just a connection and playing with the SO, but it's disturbing just the same. Bill Dan Rossi wrote: > There is already things like playback, publish and sharedobject > security. But i know what you mean, and authentication / authorisation > framework, those security features could be used to roll your own, but > there does need to be some kind of bean you can just enable in your xml > config which sets up an authentication plugin for you utilising also the > security methods. And you can customise the plugin yourself. It should > be enabled with either an embedded db system like hibernate or jdbc etc. > I hear now though that rtmps isnt so easy to setup or not working yet in > red5 ? That would need to be enabled i guess to send secret keys or a > login form to authenticate against. The problem ive yet to work out is > if secret key loaded into the client via dynamic scripting is sniffable > at runtime. Obviouslly it cant be stored in the swf. > > nomIad wrote: > >> Hey guys, >> >> I think thats really funny. Ive done such an app too, 1 year ago. >> I used FMS, but was on the way to use Red5. >> >> Some of us are doing pretty much the same thing, but there is no >> FRAMEWORK related to that stuff?! >> >> Were all writing the cores of that without any standard way for >> authentication, authorisation, etc. >> I think its time for a Flash Framework and Red5 kit for those sort of >> apps... >> >> cu nomiad >> >> Storm schrieb: >> >> >>> Hi JOachim,congrats! that's pretty simmilar to my own app hehe, only >>> that my "live audio and video communication" is not a "all see all" >>> videoconf, it works more like a classroom where the teacher sees >>> everyone but the pupils only (should) look at the teacher. We also >>> figured out a way to share presentations. But then again, congrats on >>> that!. >>> The only point i'm missing is the screen sharing (and remote control), >>> we've tried a few ideas to achieve that but they all were improductive >>> or too bandwidth greedy. Are you using only flash on client side for >>> that? (that was one of my requirements). Hope you can throw some light >>> on this, it would be much appreciated. >>> >>> >> _______________________________________________ >> Red5 mailing list >> [email protected] >> http://osflash.org/mailman/listinfo/red5_osflash.org >> >> >> > > > _______________________________________________ > Red5 mailing list > [email protected] > http://osflash.org/mailman/listinfo/red5_osflash.org > _______________________________________________ Red5 mailing list [email protected] http://osflash.org/mailman/listinfo/red5_osflash.org _______________________________________________ Red5 mailing list [email protected] http://osflash.org/mailman/listinfo/red5_osflash.org
