Security on over the top tv services

Detalhes bibliográficos
Autor(a) principal: Pereira, Carlos Filipe Zambujo Lopes
Data de Publicação: 2011
Tipo de documento: Dissertação
Idioma: eng
Título da fonte: Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)
Texto Completo: http://hdl.handle.net/10451/13937
Resumo: The widespread availability of high bandwidth Internet access on fixed and mobile networks, in conjunction with the availability of mobile devices powerful enough to play streamed high quality video, has created the demand for services that deliver television and video content over the Internet to television sets, personal computers and mobile devices. This demand has lead to the appearance of over-the-top TV and video service providers that deliver video over the Internet, using networks not operated by them. Video delivery in an open environment, like the Internet, requires operators to implement security mechanisms to protect their valuable content from illicit access and distribution. In this thesis, we investigate security properties needed to securely deliver OTT video services. In order to assess the security mechanisms employed to enforce authentication, authorization, digital rights management and geographical restrictions, we survey three prominent OTT service providers. Due to their size and choice of technologies, we selected Netflix, Hulu and Comcast. We studied the interactions between the client applications and the providers’ servers by inspecting the traffic of messages exchanged. For each of the security mechanisms analyzed, experiments were designed to find flaws and test their effectiveness. The most import- ant of the identified security issues are related to the handling and transmission of HTTP cookies when using web browser-based clients. These vulnerabilities are common to all surveyed providers and can be exploited by adversaries to steal authentication cookies and impersonate the customer, allowing illicit access to video assets and private information of the customer. A cookie stealing and session hijacking attack is described and mitigation strategies are presented for OTT service providers, users and wireless network access point administrators. These consist in the use of SSL to protect authentication tokens, the use HTTPS only or VPN services, and the use of WPA2 to protect wireless networks, respectively. An interesting result, observed with the analyzed mobileclient for Android devices, is that it uses SSL to protect the transmission of HTTP cookies used forauthentication. Thus, it is not vulnerable to the described attack.
id RCAP_323ece91e1f459fcf0eb697638c51722
oai_identifier_str oai:repositorio.ul.pt:10451/13937
network_acronym_str RCAP
network_name_str Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)
repository_id_str 7160
spelling Security on over the top tv servicessecurityIPTVvideoOTTInternetThe widespread availability of high bandwidth Internet access on fixed and mobile networks, in conjunction with the availability of mobile devices powerful enough to play streamed high quality video, has created the demand for services that deliver television and video content over the Internet to television sets, personal computers and mobile devices. This demand has lead to the appearance of over-the-top TV and video service providers that deliver video over the Internet, using networks not operated by them. Video delivery in an open environment, like the Internet, requires operators to implement security mechanisms to protect their valuable content from illicit access and distribution. In this thesis, we investigate security properties needed to securely deliver OTT video services. In order to assess the security mechanisms employed to enforce authentication, authorization, digital rights management and geographical restrictions, we survey three prominent OTT service providers. Due to their size and choice of technologies, we selected Netflix, Hulu and Comcast. We studied the interactions between the client applications and the providers’ servers by inspecting the traffic of messages exchanged. For each of the security mechanisms analyzed, experiments were designed to find flaws and test their effectiveness. The most import- ant of the identified security issues are related to the handling and transmission of HTTP cookies when using web browser-based clients. These vulnerabilities are common to all surveyed providers and can be exploited by adversaries to steal authentication cookies and impersonate the customer, allowing illicit access to video assets and private information of the customer. A cookie stealing and session hijacking attack is described and mitigation strategies are presented for OTT service providers, users and wireless network access point administrators. These consist in the use of SSL to protect authentication tokens, the use HTTPS only or VPN services, and the use of WPA2 to protect wireless networks, respectively. An interesting result, observed with the analyzed mobileclient for Android devices, is that it uses SSL to protect the transmission of HTTP cookies used forauthentication. Thus, it is not vulnerable to the described attack.Neves, NunoChristin, NicolasRepositório da Universidade de LisboaPereira, Carlos Filipe Zambujo Lopes2012-02-03T11:18:35Z20112011-01-01T00:00:00Zinfo:eu-repo/semantics/publishedVersioninfo:eu-repo/semantics/masterThesisapplication/pdfhttp://hdl.handle.net/10451/13937enginfo:eu-repo/semantics/openAccessreponame:Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)instname:Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informaçãoinstacron:RCAAP2023-11-08T15:59:25Zoai:repositorio.ul.pt:10451/13937Portal AgregadorONGhttps://www.rcaap.pt/oai/openaireopendoar:71602024-03-19T21:35:51.721835Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) - Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informaçãofalse
dc.title.none.fl_str_mv Security on over the top tv services
title Security on over the top tv services
spellingShingle Security on over the top tv services
Pereira, Carlos Filipe Zambujo Lopes
security
IPTV
video
OTT
Internet
title_short Security on over the top tv services
title_full Security on over the top tv services
title_fullStr Security on over the top tv services
title_full_unstemmed Security on over the top tv services
title_sort Security on over the top tv services
author Pereira, Carlos Filipe Zambujo Lopes
author_facet Pereira, Carlos Filipe Zambujo Lopes
author_role author
dc.contributor.none.fl_str_mv Neves, Nuno
Christin, Nicolas
Repositório da Universidade de Lisboa
dc.contributor.author.fl_str_mv Pereira, Carlos Filipe Zambujo Lopes
dc.subject.por.fl_str_mv security
IPTV
video
OTT
Internet
topic security
IPTV
video
OTT
Internet
description The widespread availability of high bandwidth Internet access on fixed and mobile networks, in conjunction with the availability of mobile devices powerful enough to play streamed high quality video, has created the demand for services that deliver television and video content over the Internet to television sets, personal computers and mobile devices. This demand has lead to the appearance of over-the-top TV and video service providers that deliver video over the Internet, using networks not operated by them. Video delivery in an open environment, like the Internet, requires operators to implement security mechanisms to protect their valuable content from illicit access and distribution. In this thesis, we investigate security properties needed to securely deliver OTT video services. In order to assess the security mechanisms employed to enforce authentication, authorization, digital rights management and geographical restrictions, we survey three prominent OTT service providers. Due to their size and choice of technologies, we selected Netflix, Hulu and Comcast. We studied the interactions between the client applications and the providers’ servers by inspecting the traffic of messages exchanged. For each of the security mechanisms analyzed, experiments were designed to find flaws and test their effectiveness. The most import- ant of the identified security issues are related to the handling and transmission of HTTP cookies when using web browser-based clients. These vulnerabilities are common to all surveyed providers and can be exploited by adversaries to steal authentication cookies and impersonate the customer, allowing illicit access to video assets and private information of the customer. A cookie stealing and session hijacking attack is described and mitigation strategies are presented for OTT service providers, users and wireless network access point administrators. These consist in the use of SSL to protect authentication tokens, the use HTTPS only or VPN services, and the use of WPA2 to protect wireless networks, respectively. An interesting result, observed with the analyzed mobileclient for Android devices, is that it uses SSL to protect the transmission of HTTP cookies used forauthentication. Thus, it is not vulnerable to the described attack.
publishDate 2011
dc.date.none.fl_str_mv 2011
2011-01-01T00:00:00Z
2012-02-03T11:18:35Z
dc.type.status.fl_str_mv info:eu-repo/semantics/publishedVersion
dc.type.driver.fl_str_mv info:eu-repo/semantics/masterThesis
format masterThesis
status_str publishedVersion
dc.identifier.uri.fl_str_mv http://hdl.handle.net/10451/13937
url http://hdl.handle.net/10451/13937
dc.language.iso.fl_str_mv eng
language eng
dc.rights.driver.fl_str_mv info:eu-repo/semantics/openAccess
eu_rights_str_mv openAccess
dc.format.none.fl_str_mv application/pdf
dc.source.none.fl_str_mv reponame:Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)
instname:Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação
instacron:RCAAP
instname_str Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação
instacron_str RCAAP
institution RCAAP
reponame_str Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)
collection Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)
repository.name.fl_str_mv Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) - Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação
repository.mail.fl_str_mv
_version_ 1799134257609703424