Secure live broadcast via RTMPS
Living online and translating everyday moments to personal Facebook and YouTube accounts is no longer a hobby, but almost the rule for a generation that has grown up among social networks and smartphones. As streaming moves from the category of exotic to the category of serious business that brings serious money, more and more enterprises, government agencies and educational institutions enthusiastically stream into broadcasting. But how safe and protected is this live broadcast? The answer may surprise you.
When most people think about safe streaming, they think about restricting access to live broadcasting. This is usually done using streaming privacy settings, such as deleting from the list or creating a streaming event in private on YouTube and Facebook. These streaming privacy settings provide real-time streaming in a distributed stream that is transmitted from the content delivery network (CDN) to the viewer. The event owner can control who receives the transfer URL to view it.
Propagation protection
To ensure the security of streaming on its distribution side, there are some common methods of restricting access to content, such as secure portals that require authentication by user name and password. After authentication, the content is encrypted (usually using HTTPS) before it is distributed for viewing. With the correct security handshake certificate on the viewer's computer, you can be sure that the streaming content comes from a trusted site.
But how about protecting content sent to a CDN before distribution? As soon as your live broadcast hits the Internet, it becomes vulnerable. Most stream privacy settings do not protect the signal that goes from the content source to the CDN.
Outbound protection with RTMPS
Software and hardware streaming encoders typically use a data transfer protocol called RTMP (Real-Time Messaging Protocol). It is reliable, but not so safe. RTMP is prone to spoofing (for example, someone is pretending to be YouTube and redirecting your stream to another server) and other man-in-the-middle attacks. It is possible that someone will maliciously violate an important live broadcast. So how to avoid this without having a PhD in IT or not spending a lot of money? The answer is secure streaming with RTMPS.
The easiest way to protect content streaming from spoofing and espionage is to use real-time secure live streaming from RTMPS. RTMPS is a secure version of RTMP. In essence, this is RTMP over TLS. The RTMPS streaming protocol allows secure streaming by encrypting the stream between the encoder and the CDN, but not only. RTMPS also protects against a domain name. A handshake is used between the sender (you) and the recipient (CDN like Facebook) to confirm that you are indeed sending your content to the desired destination. But to use real-time secure streaming from RTMPS, and a video coder that broadcasts content and a CDN location to which you are broadcasting must support it.
Secure live streaming from RTMPS to Facebook and CMS, such as Kaltura and Panopto
Most private CDN and content management systems such as Kaltura and Panopto already support secure streaming with RTMPS, but unfortunately not all. For example, YouTube, Twitter and Vimeo Live currently only support RTMP for live streaming. They may offer other security options, such as delisting or creating a private stream, but these security measures begin to work only after your content crosses the Internet and reaches the CDN - and if this stream goes via RTMP, it is vulnerable.
Of the popular free streaming platforms, only Facebook has the option “Use secure connection (SSL)” when creating a streaming event that includes secure streaming with RTMPS. However, it’s just a matter of time when all streaming platforms will offer secure streaming with RTMPS. And this day may come sooner than later.
Wrap it up!
If you broadcast events that are confidential, you definitely need the extra security that you get when using hardware video encoders such as the Epiphan Pearl Mini . They offer customizable RTMPS streaming, as well as 802.1x network security and HTTPS for secure administration.
Leave a Comment