|
»
« Return to Thread: Are SOs automatically reconnected?
Re: Are SOs automatically reconnected?
by Gavriloaie Eugen-Andrei
::
Rate this Message:
On Sat, Jul 4, 2009 at 8:13 PM, Andy Shaules <bowljoman@...> wrote:
Using a sniffer, they are reading the name of the service calls, then connecting from some IDE like flexbuilder where they can quickly build an array of calls.Now lately someone has started to inject RTMP packets (I have no clue how) into the data stream between server and chat applet.
The other problem is the 'someone'. It is time to connect real accounts with users on red5 to eliminate the 'someone' and turn it into an id/ip.
Assuming you have some SQL, add a collumn for a session variable. Create a hash out of some random information, and store it in a db associated with the user who logs in.
Give this hash to the user as a flash var. Your flash code must give this variable to red5. Red5 will reject any client without a valid hash in the db. Hash is not shared between users.
Yeah, and where is the security? If I'm "man in the middle" I still can grab that hash... I suggest RTMPS
Now when spam comes in, you have account identified with spammer, and other users can kick/ban.
If you lose connection of the netconnection to the point that you get a netConnection.Closed status message, you must manually reconnect any shared object.
----- Original Message ----- From: "Thomas Auge" <auge@...>
To: <red5@...>
Sent: Saturday, July 04, 2009 5:19 AM
Subject: [Red5] Are SOs automatically reconnected?
Hello list,
I'm trying to figure out some unusual activity on my server.
If I lose connection to the server while connected to a shared object, then reconnect the server, is the shared object automatically reconnected, too? This is flash.
The background is the following: For a long time I didn't have any security for the actual messages being exchanged in my chat room. Now lately someone has started to inject RTMP packets (I have no clue how) into the data stream between server and chat applet.
So I've started to sign the communication packets, so they could not be spoofed. As a result, the person has started to just copy packets, to spam things.
Since both the messages and the signature contain the connection ID I've started to match the sent connection ID against the real one in onSharedObjectSend().
Now some warnings appear for spoofed messages, which COULD be a race condition on reconnect. If the client reconnects. It receives the
new connection ID from the server and should not do anything before that. But if SOs would be automatically reconnected, some of the SO functions could fire with the old ID. This does sound unlikely, but some of the spoofing attempts come from an internal message type, which is triggered a lot through the SO and makes very little sense to mess with. ;)
tl;dr: see second paragraph. ;)
Thanks,
Thomas
_______________________________________________
Red5 mailing list
Red5@...
http://osflash.org/mailman/listinfo/red5_osflash.org
_______________________________________________
Red5 mailing list
Red5@...
http://osflash.org/mailman/listinfo/red5_osflash.org
_______________________________________________
Red5 mailing list
Red5@...
http://osflash.org/mailman/listinfo/red5_osflash.org
« Return to Thread: Are SOs automatically reconnected?
| Free embeddable forum powered by Nabble | Forum Help |
