Security FAQ's

Streamwell was built from the ground-up to be not just private and easy to use, but also secure so you can stream with confidence. During development we worked with some of the top security researchers in the country to review our code, enforce best practices and check for security loopholes. Read on for answers to some of the most common security-related questions: 

Q: Are my streams secure?

A: For streaming into Streamwell, we support RTMP and SRT (Secure Reliable Transport) streaming. Users who are concerned about the security of their stream connection should always use SRT. The web-based player uses WebRTC and employs DTLS + SRTP encryption to all viewers.

 

Q: Are the stream keys secure?

A: The stream key alone is not enough to send a stream into Streamwell. Whether you are using RTMP or SRT, the stream key provided in the web interface is signed by the server using HMAC-SHA256 encryption. The encryption key can be randomly generated when the application is installed, or provided by the user. The signature values are not stored in the database and are only calculated when a logged-in user with adequate permissions loads a page where the stream keys are visible.

 

Q: Does Streamwell support HTTPS?

A: You bet! Not only is HTTPS recommended for all internet-facing installs, there is an easy built-in feature to issue and update the TLS certificate with just a click. This means that users of all skill levels can utilize HTTPS without complicated install procedures or expensive professional services. Just forward port 443 to your server, activate HTTPS in the easy web-based admin interface, and it just works - like magic!

 

Q: Is the web client secure?

A: Every aspect of the web client was designed with security in mind. All user inputs are validated server-side, and great care has been taken to prevent SQL injections or XSS vulnerabilities. Other web client security features also include the ability to “kick” all viewers from a public link; reset the stream keys / public links for any channel with a click; auto-expiry of a user session when the same account is logged in from another location; double-checking of user permissions at each page load, and lots more!

 

Q: What about the back-end server itself?

A: Streamwell is a containerized Docker application which provides a huge layer of security out of the box - even if a bad actor manages to breach the application, they would be unable to communicate with the host it is running on due to the virtualization architecture used by Docker. Additionally in terms of logging, there is an option to obfuscate user and viewer IP addresses (this is not enabled by default as this information is generally considered useful to a system administrator when auditing usage of the server).

 

Q: What about the database? 

A: Streamwell uses a MySQL database, secured by a user-provided key. User passwords are not stored directly in the database, only password hashes which cannot be recreated without providing the original password. There is a ‘super admin’ user that can backup and restore this database through the web interface, giving them the convenience of a simple database workflow while retaining the security advantages of MySQL.

 

Q: What about file and data storage?

A: Shared files, logs, recordings and the TLS certificate are stored by default inside the container for maximum security, but can be easily mapped to user-controlled storage locations outside of the container.

 

Q: Does the server communicate with any third-party services or “call home”?

A: No. Streamwell never tracks, advertises, or promotes third-party content to your users. The only communications are between users, viewers, and the docker application itself which runs on a host of your choosing.

 

Q: Does Streamwell work behind a VPN?

A: Yes, as long as the server and all users / viewers are on the same VPN.

 

Q: I have other questions or concerns about security - who do I call?

A: Other than ghostbusters? Contact support@streamwell.net with any further questions!