Adobe SWF Verification
So Adobe has this thing, called “SWF Verification”, which is touted as some kind of content security scheme for streaming media.
Now, it’s fair to say that SWF Verification is marginally more useful than, say, checking a referrer, because it does rely on you having access to the SWF itself (at least for a short period) in order to perform the operations that the genuine Flash Player does.
Assuming you do (because it’s publicly accessible, and SWF Verification has been deployed as a mechanism to prevent downloading of streaming media in ways which Adobe Flash Player doesn’t permit), then it really is just a slightly more long-winded form of a referrer check.
SWF Verification is based upon a hash derived from the SWF file your server is expecting to be requesting the streaming media, and a fixed string. Well, currently it’s fixed, but in future it could vary: either way, if your client has access (as Adobe’s Flash Player does) to the actual SWF, then all this does is confirm that you know how to use sha256-hmac and speak the protocol.
Listen up, because this is a crucial part of how the Internet works: there is nothing you can implement on a server which can tell the difference between program “A” on a client and program “B” on a client, if both A and B have access to all of the same resources, talk the same protocols, and the latter goes to the trouble of emulating the former at a protocol level. None. A and B will be utterly and completely indistinguishable so long as one person is willing to put in the small amount of effort required to make it so.
Feel free to do us all a favour and stop trying. It will make the lives of both you and your customers a little easier.
