Security is a concern for digital signage users, especially on an open platform. Mechanisms must be in place to prevent
- unauthorized access to media assets on servers, and
- man-in-the-middle attack to play back unauthorized media files on public screens.
A-SMIL players support limited security options today and will continue strengthen the means as a major development direction.
A-SMIL players submit a per-player unique signature in the HTTP User-Agent header. This allows identification by specialized media servers to prevent unauthorized access from a standard web browser. However, the determined hacker can produce a simulated User-Agent header to circumvent this mechanism.
HTTP basic and digest authentication is supported by A-SMIL players today. URLs can contain user name/password pairs per Section 3.1 of RFC 1738. The weakness of this scheme is that the user name and password pair is stored in plain text in the SMIL file. The determined hacker may discover the information using a sniffer in the same IP subnet as the media players.
A-SMIL is moving towards making HTTP over SSL (a.k.a. HTTPS) a mandatory requirement for all media players. This will prevent sniffering that makes the current security mechanisms vunerable.