I recently watched a video demonstrating that a red5 application with only stub code is capable of streaming and recording. This means anyone could use my server to stream their content and that’s best case. So my questions are
1. To me this seems that red5 doesn’t take security seriously; am I incorrect to assume this?
2. Do they rapidly release security updates?
3. If the above are yes then what implementation precautions should I take to solve this and other “undocumented features”?
(topical answers are fine all I need is enough to Google the specifics)
To secure your streams you can edit the file: red5-web.properties (in $red5/webapps/$your-app/WEB-INF/)
webapp.virtualHosts defines the IP/domains that are allowed to connect to your Red5 application.
So if your application is hosted on myserver.com, and you want only SWFs that are loaded from myserver.com to be able to connect to your streams then you can configure red5-web.properties.
AFAIK: The “security” here is that every SWF sends automatically to the RTMP server a IP/Domain where it has been loaded from. So with some motivation you could build a RTMP client in Java or C++ that simulates connecting from another domain.
However, for simple scenarios, for example for protecting your stream from being embeded with some FLV player in another website, this should already help.
There is also a possibility to set up usage of RTMPS:
http://incubator.apache.org/openmeetings/RTMPSAndHTTPS.html
however this will not prevent anybody from embeding your stream into his website.
See my answers here:
https://stackoverflow.com/a/13006632/1448704
And you can find some more links about docs and articles in my other answer:
https://stackoverflow.com/a/13006704/1448704
Sebastian