Protect flash video from download/right protect
Asked Answered
A

9

17

Is it possible to protect flv files from download? I'd like to protect my files from download but I don't have the money for a streaming server which I think provides some sort of protection. The files are streamed via PHP and are located in an upload folder on my server.

I've used PHP to ensure that only subscribers can view the video but I basically want to go a step further and prevent subscribers from, upon login, downloading my videos with downloaders such as Sothink Flv Downloader for Firefox.

Aerobiosis answered 19/11, 2008 at 1:23 Comment(0)
P
33

I fully agree with the DRM consensus of other answers. But would like to add...

There are a couple of obfuscation techniques that may meet you needs. "Good enough", as they say. These aren't full proof mechanisms, but very well may prevent 80%-99% of people trying to copy your FLV streams/files. A dedicated hacker will get to it, but most folks are just script kiddies (or their FireFox plug-in loving cousins.) Plus, some of these techniques are really easy:

  • Change/remove the MIME type the server is responding with. Flash players blissfully ignore it anyway. E.g.: image/jpeg
  • Change the file extension from .flv to something else, like .jpg. Again, Flash players blissfully ignore it anyway. Additionally, once the file is saved to disk, a non-FLV player will open it (and complain about it being an invalid file format.)
  • Set aggressive 'don't cache' headers for all your FLV content. (This, naturally, means more traffic and bandwidth consumed. Maybe this is not an issue for you?)
  • Stream over UDP-based protocols (like RTSP). While my read is that UDP protocols are on the way out for large scale streaming of on demand content, it is much more difficult to copy. E.g.: Real Downloader cannot currently pilfer these streams.
  • Break up content into two or more pieces of partial content, and play them back to back.
  • Hide your FLV content behind a simple, custom one-time authentication mechanism
    • Player requests authorization key for content A
    • Server returns an authorization1 key: SHA1(content key + salt1)
    • Server stores content key, authorization1 key, authorization2 key (which is SHA1(authorization1 + salt2))
      • one time use
      • limited validity (E.g.: 2 seconds)
    • Player creates authorization2
    • Player requests content a with authorization2
    • Server sends ´FLV´ content to client if and only if
      • authorization key matches to content key in server side store
      • authorization key has not expired

I've actually implemented that last idea, the authorization mechanism, myself and can vouch for it's practical effectiveness. No, it is not totally secure. But it is good enough. Not even a power users is capable of beating it.

Defeating it requires

  1. reverse engineering the process,
  2. decompiling your Flash player,
  3. putting it all back together again.

Good enough.


It is amazing how many "plz sends me teh codez" emails this post has generated from the "simple, custom one-time authentication mechanism" suggestion. Don't bother, I can't--it was for a proprietary project for my employer, xtendx AG. If interested in purchasing the system, email [email protected].

Pulmotor answered 30/10, 2009 at 15:54 Comment(6)
I use this implementation of one-time authentication mechanism #8849419 what you think?Tray
I implemented something like that last one, but it can have lots of issues if you have cacheing on your server. Breaks the whole system for me, unless you keep the related pages from being cached.Bennettbenni
@Bennettbenni Well, it seems kind of obvious to me. But I am admittedly very well versed with the problems involved. As a rule of thumb, caching and user specific security are mutually exclusive.Pulmotor
Yeah. I set it up without thinking about the fact that public server has a big cache system. I immediately realized the issue. Working with host to find a way around it (they control the caching). just thought it was good to mention as caching becomes a bigger part of the web. Your solution is great. Another layer you can add is to have the urls change after every use or every 15 minutes or so similar to Amazon S3, though probably doesn't matter with the level of verification that already exists.Bennettbenni
So far. I am also not able to get this to work in Safari. Works everywhere else, but the cookie gets cleared before Safari gets to the file. Might just be my implementation. Still testing it.Bennettbenni
there's a bunch of good ideas, but I would also recommand to watermark your creation. With the link of a website for example. Even if we steal your creations, it will still indicates original source.Celestecelestia
I
8

There is no way to add DRM protection (i.e. encryption) to static FLV files - anyone who knows the URL can simply download them, or (in some cases) get them out of their browser's cache, and then play them in any supporting player. (However, you can probably prevent people from embedding your content in other sites - google "Hotlinking protection".)

Streaming your FLVs can be done for free with OSS like Red 5. This doesn't offer "DRM" protection per se, but it does send the video in a file stream, so there is no single file for the user to download and save. It's still possible for the user to capture the file with certain programs, but it's much more inconvenient.

As for "real" DRM, the only solution I'm aware of is Adobe Flash Media Rights Management Server. I've never used it, but apparently it will stream DRM-encrypted FLV or MP3 content, and enable you to apply the usual sorts of DRM restrictions.

Inclinatory answered 19/11, 2008 at 2:38 Comment(1)
DRM is a fracking nightmare to implement, consumes dramatically more resources than non-DRM solutions, and frequently drives the user crazy. If it was a worthy technology we'd see it all over the net.Pulmotor
J
6

You can't. Any effort or money that you spend chasing DRM will be a waste of resources that you could have put into improving your product. Put your logo and URL into the videos, so that anyone copying them is advertising your site, put a copyright notice into the videos and sue anyone who you catch copying your content illegally, and call it a day.

Jorgenson answered 19/11, 2008 at 2:6 Comment(0)
M
3

The short version is that DRM (in any form) is an arms race, If I can play it, I can steal it. The only question is how hard is it.

Personally, I don't think DRM is a good idea. In the long run, it's not going to help because people who steal it, will steal it no mater what you do and those who don't will be inconvenienced by it even so.

http://xkcd.com/488/


That said, stealing it is also not a good idea and you should have the right to control what you produce. (However I don't know how to do that)


The only answers I can think of for this are: 1) start selling something that can't be stolen or 1) make it easier to buy then steal. The first amounts to Pandora-for-fee/Netflix-for-music (but with something like a CC license on major label songs). The second isn't even a music industry problem but a financial industry problem; how to make online payments easy and safe for both side without screwing over either the buyer or the seller.

Mcclung answered 19/11, 2008 at 1:28 Comment(1)
Maybe XKCD should be added to the auto search thing :pMcclung
K
2

Have you thought about hosting your video on Amazon S3? you can set urls for your videos to expire so that the link to the video will only be valid for certain period of time. This doesn't prevent anyone from getting the video from their cache once it has downloaded nor does it prevent other ways such as using Orbit downloader, or RealPlayer video downloader but it would prevent hotlinking.

I agree with comments that this is an arms race and a strategy for video delivery that accepts that people do want to download videos to share or copy to other devices etc and tries to live with it will probably be the most successful and pain free. Watermark, embed links to your site, try to capitalise on the increase in the number of eyeballs watching your video as a result of being downloadable.

Kuhl answered 30/10, 2009 at 11:6 Comment(0)
C
1

sites like youtube try to make it difficult to download their videos by obfuscating the flash and also changing the structure every so often. As others have said it is an arms race. Youtube updates their structure and then tools like pytube have to also update.

Cherry answered 12/11, 2009 at 0:38 Comment(0)
J
0

Have a look to this analysis from Longtail.

It starts with a golden rule:

Anyone who can watch your video can steal your video.

And it ends up with a really nice series of security concerns and prevention techniques.

Jerlenejermain answered 29/4, 2010 at 15:22 Comment(0)
L
0

Make a seperate site for your content. Configure web server app settings for 2nd site ("content server") to intercept requests for any static content (your videos, pictures, whatever) so you can do a check for a permissions cookie for each requested piece of content to check if theyve been validated and granted access to that piece of content or not.

Labe answered 26/1, 2015 at 20:36 Comment(0)
S
-1

No protection can beat a simple use of WireShark + NetMiner.

Period.

Oh and by the way, about youtube, if you use Chrome check out this extension:

http://hosting.gmodules.com/ig/gadgets/file/113621719436589749332/ZiTube.crx

It just creates a download button under youtube videos ;)

Surrogate answered 28/5, 2010 at 11:12 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.