Protect streamed files from being downloaded

Hi list,

I am currently using Nginx’ flv module for streaming some video,
however I have one slight little problem, is that the file can still
be easily downloaded. Is there a way I can protect against that? Is it
an Nginx issue or something to do with the response headers not being
properly set in my application?

we’re looking at using PHP to determine if the user has access to view
it, and if so, then use X-Accel-Redirect to serve the file up.

note that I’m still waiting on the developer to finish his prototype
of it. Igor says it should work though.

What I meant is that I would like any user to be able to have access
to the video being streamed, but I don’t want the user to be able to
easily download the file.

The problem is - all you can see/hear on web you can get (traffic
dumping /
screen grabbing / soundcard capturing and so on).

Point is to make it pretty useless and frustrating for the users who
want to
snatch all of your site and one of the way to do it is by just limiting
the
bandwidth ( http://wiki.codemongers.com/NginxHttpCoreModule#limit_rate )
.
It is probably not so good on video content but streaming audio
(progressive
download) works nice - you just set up the speed limit just enough to
play
without delays and thats all. To get all the content a user must wait
full
length of the playtime and usually it is where the raw download attempts
end. Of course you may say that its only per connection then again there
are
also limits to those.

rr

----- Original Message -----
From: “Thomas” [email protected]
To: [email protected]
Sent: Wednesday, July 02, 2008 10:16 PM
Subject: Re: Protect streamed files from being downloaded

I understand what he wants. I know it´s impossible to avoid copy the
video,
but would be nice to not be so simple as point to url and save it.

On Wed, Jul 02, 2008 at 21:16:43, Thomas said…

What I meant is that I would like any user to be able to have access
to the video being streamed, but I don’t want the user to be able to
easily download the file.

If you’re using the average flash player like Youtube uses, the user
will be
able to just copy the video file out of ther temporary directory
anyways…

Hi Marcos, that’s exactly what I meant. I would like in the future to
stream video and music that has copyright on it, and to do that
legally I will have to negotiate with the music/video companies and it
is compulsory that the content cannot be simply downloaded by typing
the url in a browser or using wget, this is an absolute requirement.
Not everybody knows how to dump or screencast what is going on the
screen/audio card or even copy the cache content.

I am already limiting the rate of the transfer, but that’s more to
save the bandwidth than to protect.

Marcos N. ha scritto:

I understand what he wants. I know it´s impossible to avoid copy the video,
but would be nice to not be so simple as point to url and save it.

Usually what can be done is:

GET /path/to/file:
return an HTML form with a capcha or some other method to avoid
automa
POST /path/to/file:
return an HTTP redirect using a secure hash (the hash contains a
timestamp)
GET /path/to/file?hash=xxx
check if the hash is up to date and then deliver the file to the
user (using an internal redirect or a direct method when using
mod_perl or mod_wsgi).

Regards Manlio P.

On Wednesday 02 July 2008, Thomas wrote:

Hi Marcos, that’s exactly what I meant. I would like in the future to
stream video and music that has copyright on it, and to do that
legally I will have to negotiate with the music/video companies and it
is compulsory that the content cannot be simply downloaded by typing
the url in a browser or using wget, this is an absolute requirement.
Not everybody knows how to dump or screencast what is going on the
screen/audio card or even copy the cache content.

youtube way: hide the url )

No that’s not what I want.

I want any user to be able to watch a movie being streamed, but I
don’t want the users to easily be able to download the movie as a
file. This is mandatory for streaming copyrighted music or videos.

Unfortunately whatever method you use to “protect” the progressive
download, it can still be thwarted. Youtube does do work to prevent
someone from just hotlinking to an FLV, but as many of the “download
youtube video sites” suggest, it’s easy to just reverse engineer the
protection. Even a pure streaming solution (e.g. flash media server)
can be saved out to disk. However, the newer versions of flash have
stream DRM which make it much easier to protect (e.g. almost
impossible to hack), but you have to use proprietary Adobe software to
do this :frowning:

yea youtube doesn’t hide the url you can use

if you got a url for youtube to access a video then you can download
copy
it. What he is more wanting is something like youtube’s personal videos.
Where you specifiy what friends can access what video. So limiting to
authorized users.
It was already mentioned in this thread

but to use the
http://wiki.codemongers.com/NginxHttpCoreModule#internal directive on a
directory with your flv videos. And then use X-Accel-Redirect header (
http://wiki.codemongers.com/NginxXSendfile) to redirect to the internal
location after your application has authenticated them else your can
just
send a 403 forbidden header to the client or custom page saying access
denied. *

I was thinking something along these lines: You have the flash movie
player implement a procedure where you use php flash remoting
(http://www.amfphp.org/) to ask the server for a token which token is
then sent either in the URL of the FLV or as a header to nginx, then
as Rob S. recommended, use the “internal” directive and
“X-Accel-Redirect”. You can have the token valid for 5 seconds so that
nobody can use it again (and also specific for the video content). I
think you can make the communication between Flash and PHP secure
enough so that a simple reverse engineer of the Flash player itself
cannot do much to the user wanting to get the logic of your
protection.

Anybody sees something wrong with this?

Kiril

Actually, many YouTube downloader tools are so powerful, so it is very
difficult to protect the video files from being downloaded. Such as
Sothink Web Video
Downloader(SoThinkMedia: Professional Reviewer for All Video Topics )and
youtube downloader(http://www.youtubedownloader.com).

Anybody sees something wrong with this?

Kiril
That’s actually kind of the way I have implemented my protection
although not making so complicated. I only want to prevent 99.9% of my
visitors from downloading the files.

The 0.1% of the other visitors will always be able to crack the
protection by reverse engineering the swf file or by sniffing the
packets with wireshark, so they will know how the flash player and the
server communicate, and will be able to to know where to retrieve the
tokens from and how to use them. But that’s acceptable for me. Yeah
you could hide the token in the flv, but still the swf file can be
cracked and the hacker will eventually figure it out.

DRMs are not acceptable for me though. I don’t want my customers to be
part of my protection scheme, this is my business and not their
problem.