Posts Tagged ‘security’

Some of the features from the next (unreleased) AVChat 3 build (the November one)

Monday, November 15th, 2010

The online demo of AVChat 3 has been updated to build 1052 .

Here are some of the new features:

  • full .NET support (dropped classic ASP support)
  • moved position of free video time/day display
  • new admin limitations & settings in avc_settings.xxx
  • clean text chat area button
  • fixed some security issues with previewing files
  • fixed issues with some whois links not working
  • fixed issue with web cams going behind the text chat area

This build will be made available for download later this week after intensive testing!

Posted in AVChat, Builds | Tags: , ,  | 7 Comments »

The AVChat 3 build for August (900)

Monday, August 9th, 2010

New features:

  • works properly on Android phones with Flash Player 10.1
  • new setting: users can create only public or only private rooms (allowedRooms setting in avc_settings.xxx)
  • new setting: can users switch their stream to private/public (usersCanSwitchBetweenPrivateAndPublic setting in avc_settings.xxx)
  • new setting: turn off te video chat for maintenance (downForMaintenance setting in avc_settings.xxx)
  • new setting: kick users after being idle for some time (kickAfterIdleTime setting in avc_settings.xxx)
  • new setting: position the who is typing box at the top or bottom of the text chat  (whosTypingPosition setting in avc_settings.xxx)
  • you can now control the background color of the users list frum style.css
  • new [Reset] button in the admin’s Rooms pannel that resets the users number
  • option to hide the top status bar completely (hideStatusBar in avc_settings.xxx)
  • initial RTL support (rightToLeft setting in avc_settings.xxx, feature still in beta)
  • toggle video button on other people’s webcams (turning video off on a stream will save a lot of bandwidth, you will still hear the audio)
  • profileURL in avc_settings.xx is now independent for each user (this will mean that guests will not have  a functional [View Profile] link in the video chat)
  • you can now change the female/male/couple icons used troughout the video chat (maleImageUrl, femaleImageUrl and coupleImageUrl settings in avc_settings.xxx)
  • an eye icon is now shown in the userslist besides everyone who is watching you
  • slight improovement in emoticons positioning + emoteicons are now resized if they are higher than 14px
  • the siteId variable for each user is now also available in the external rooms list
  • Social Engine 4 integration kit
  • updates to the phpFox2 integration kit (settings and pop-up options available directly from the admin area)

Security improovements:

  • token authentication for Red5, FMIS and Wowza (php only, turned off by default, article on how to turn it on will be available soon)
  • admins can now delete multiple rooms at once
  • admins can now ban ip ranges
  • added js code tho html files to prevent inclusion of the video chat in iframes
  • improoved ip distribution and access to ip info mechanism
  • improoved private mesages distribution mechanism
  • added optional ip check to scripts on the web server called only by the media server
  • more secure upload proces

Fixed bugs:

  • keyboard input did not matter when tracking your idle status
  • one could not enter a room full with hidden admins

How to get the new AVChat 3 build:

  • download the software again from your client area

How to update your installation:

  • in the usual way: overwrite ALL the old files (including the en.xml language file and the media server files) and restart the media server!
  • if the above fails make a clean clean  install!

Posted in AVChat, Builds | Tags: ,  | 2 Comments »

How to enable token based authentication in AVChat

Monday, August 9th, 2010

Starting with build 900, AVChat 3 introduces a new security feature called “token based authentication”. When enabled this prevents 3′rd party swf files (hosted on other web sites than your own or by malicious users) to connect to your media server. There are other security measures in place to prevent this however token based authentication is the most secure!

This feature is turned off by default because with it enabled:

  • it takes slightly more time for users to connect to the media server,
  • it might cause some connection attempts to the media server over slow Internet connections to fail
  • we’ve only had a few clients that really needed this feature!

How o turn it on:

  • install AVChat
  • edit the settings file on the media server  (avchat3.properties on Red5 and Wowza, settings.asc on FMIS)
  • set the value of the tokenUrlLocation variable to the absolute url to token_verify.php  (token_verify.php is in the folder where you installed AVChat on your website, good example: http://avchat.net/demos/av30/token_verify.php)
  • restart the media server

Posted in Documentation | Tags: ,  | 2 Comments »

New Service: “Secure your AVChat installation”

Tuesday, August 3rd, 2010

AVChat  is pretty secure out of the box, however, there are steps you and your developers can take to make your AVChat installation even more secure. We have now grouped these steps in a NEW SERVICE we’ll offer called Secure your AVChat installation.  The service is priced at $199.  We will annalyze your AVChat and media server  installation and propose/implement security measures against a broad range of attacks.

These are some of the measures we will take:

  • Secure the data exchange  between the clients and the media server by using rtmpe or rtmps instead of plain rtmp.
    RTMPS communication leverages the proven security of SSL to wrap your RTMP session. RTMPE-based communication offers some of the benefits of RTMPS, but not all. It trades performance and certificate-less communication for being a versioned protocol under private Adobe control, rtmpe is only available with Wowza and FMIS not with Red5.
  • Secure connections to the media server by configuring and activating the token authentication mechanism in AVChat (will be available/detailed in the August build).
    The token based authentication ensures that only swf files from your web server are allowed to connect to your media server. To use it you need to manually configure and activate it.
  • Secure the streams from being rebroadcasted.
    We can do that by placing a watermark/logo over them (see the watermarkForOtherPeoplesStreams var in avc_settings.xxx).
  • Secure the admin AVChat’s area by limiting the ip’s from which admins can connect.
    AVChat  allows you to limit the ip from which admins are allowed to connect trough admin.swf  (seethe adminsAllowedFromTheseIps var in settings.asc on FMIS and avchat3.properties on Red5 and Wowza)
  • SWF verification (FMIS only)
    Turning on and configuring swf verification on FMIS ensures that custom swf files (with altered or additional functioanlity, etc…) will never be able to connect to YOUR media server.
  • Secure upload/download process
    The sending of files to rooms and individual users can be further secured by moving the upload folder to a non-public area on the web server.
  • Secure access to some  scripts on the web server.
    Writeuserslist.xxx and  other scripts are only called/executed by the media server. It’s safe then to make them execute only when called by the media server (and not when called from a web browser) .
  • Remove any unneeded media server applications
    Both Red5 and FMIS ship with default applications, we’ll consider removing them to no longer allow the permissive and well-known sample applications to run and be exploited.

Most of these measures can also be taken/implemented by you or your developers and we will try to post detailed information on each one of the above steps.

Securing such a complex product needs a lot of thinking as there are a lot of angles a hacker can take to attempt to disrupt the normal activity in the video chat.

Posted in Uncategorized | Tags: ,  | 3 Comments »