[jpravetz]

If Sendoid is completely relying on RTMFP then the core security technology would have to be coming from Adobe. Check out Matthew Kaufmann's two year old talk on the subject: http://tv.adobe.com/watch/max-2008-develop/future-of-communi... Or Tom Krcha's blog which contains a number of Flash P2P entries: http://www.flashrealtime.com/ RTMFP is pretty fascinating technology that originates with a couple of very smart guys that Adobe brought on board (Matthew Kaufman and Michael Thornburgh). I'm curious if the Sendoid team has a non-Flash solution for 'restricted' devices.

[tptacek]

If I understand RTFMP (what I know I got from reading Cumulus, an open source C++ implementation), the security side of this is not thrilling me:

* It's Diffie Hellman for key agreement, which is trivially MITM'd (odds are, you can even zero out the DH key and it won't notice).

* It uses AES in CBC mode with all-zeroes IV's (so it's less secure than CBC mode).

* It's using a 16 bit CRC for message integrity checks instead of a cryptographic MAC.

I say all this with the caveat that I could be misreading Cumulus or Cumulus could have it wrong, but if this is where RTMFP is today, then Sendoid is substantially less secure than an HTTPS file transfer site.

[mayank]

Thanks, and I'm hoping that part of flash works better than the video component on 64 bit linux.