Protect Video Content? Created Dec 11, 2008

Hi Tony,

You could achieve this to an extent with any player.

Serve up your videos via a streaming server (RTMP). This doesn't deliver the video file (flv, mp4 etc.) the same way as progressive streaming does. As well as allowing seeking, it means the video file isn't actually downloaded to the viewers pc. This has 2 main benefits:

- Your videos have increased protection*
- Your bandwidth charges will be reduced by about 40%

* Eventually, people will find a way to download your videos and save them as .flv. When someone takes the time out to develop a script/software to do this, then your site should be so successful that you don't care :-)

Setting up your files via RTMP seems daunting at first, but it's a process I recently went through so here's the main options:

Install Your Own
Red 5 (Free) -http://osflash.org/red5
Adobe FMS ($999)* -http://www.adobe.com/products/flashmediaserver/
Wowza ($999)* http://www.wowzamedia.com/

* both have free 10 user development versions which are the same as commercial product

Get Flash Hosting
Influxis -http://www.influxis.com/
UVault -http://www.uvault.com
There's more but I think Influx are the main players

Get CDN Hosting
Simple CDN -http://www.simplecdn.com
EdgeCast -http://www.edgecast.com/
Akamai -http://www.akamai.com/
LimeLight -http://www.limelightnetworks.com/

Now the fact that you want to protect your media means it's valuable. So, this is probabaly no time to be tight. I'd say avoid Red5, it's way too buggy and unpredicatable and the time you waste on it could be time spent on other things.

FMS was installed and up and running for me in less than 20 minutes, using the default 'vod' application thats installed automatically. The problem I soon discovered is that, with 50% of my audience in the UK, and my server in Florida, USA, I was going to have some speed issues.

FMS hosting from a 3rd party provider is basically going to suffer from the same as above. If you have a lot of non-usa users, they aren't much use as they don't offer any kind of CDN services. Although influxis do seem like a good way to get a small video site started, they have only USA servers.

CDN is the route I took, purely because of my international users but also because Simple CDN http://www.simplecdn.com) actually turned out to be cheaper than getting 1 server from influxis, but with simple CDN it's "pay as you go" and they have distribution mirrors worldwide. (Its around $0.10 per GB or transfer after allowing for storage) They support RTMP straight away and offer $15 of credit when you open an account, which is the equivalent of getting a free development software version of the other streaming servers.

They 'mirror' your content automatically, so say you place all your FLV's in the folder:

http://www.yourwebsite.com/flvs/

Then they provide the IP address that they use to access those files, so you can limit (using Apache .htaccess or similiar) all access to that folder apart from their IP range. You can also change in your settings on the Simple CDN account to only allow access from certain domains. So your flowplayer page would look something similiar to:

baseUrl: 'rtmp://your.bucket.name.simplecdn.com:1935'
.....
url: 'your.bucket.name/yourVideo.flv'

Hope this helps you and others out tony

I think he's talking about hiding the source code links. Or rewriting them to output fake source's "hiding the real source". I don't think flowplayer can do this.

And I don't see how using a streaming server has anything to do with your videos having increased protection. The bandwidth usage will go down yes, but streaming has nothing to do with protecting the source.

The simplecdn seems to be a hit. The flowplayer main site is using them and those videos load screaming fast.

Also If you have a dedicated server or vps you could use nginx or lighttpd as a streaming server. Would save you some cash while your traffic builds. Though none of this has anything to do with caching or protecting your content, sry for getting off topic...

If anyone finds a content protection solution please post it ;)

Sorry but you are wrong.

To quote ADOBE

http://blogs.adobe.com/ktowes/2008/09/encryption_and_streaming_media_1.html

Content delivered from Flash Media Server (encrypted or unencrypted) will also leave no artifact on the disk that malicious software can capture.

I also recommend to the OP and Edge that you read that blog post fully in order to understand the differences between RTMP and Progressive download over HTTP.

You can find help on how to setup flowplayer with RTMP here:

http://flowplayer.org/plugins/streaming/rtmp.html

I'm not here to argue with you, and I do think your post was very informative.

The thing is even encrypted content from a fms server can be recorded or "attained" by anyone with a little time on their hands. And the methods currently used while being impressive are not bulletproof. Just google "record rtmp stream"
Plus FMS/wowza are both ridiculously expensive when compared to simplecdn or amazon's offering.

And in response to "read that blog post fully in order to understand the differences between RTMP and Progressive download over HTTP"

RTMP/Pseudostreaming and progressive, are all pretty simple concepts that I think you'll find many people here have a fairly firm grasp on.
I'm not a "streaming" pro and don't claim to be, but I've implemented all 3 types mentioned above on dedicated boxes and never found any of them to be particularly hard to comprehend or implement.

I've never thoroughly looked into content protection via source code or stream. My feeling has always been the harder you make it - the harder the person try's to get it.

I hope some of our rambling has been helpful to tony1kenobi.
Hopefully he will chime in and clarify exactly what he's looking for.

Ok off to play with ffmpeg.

Hi,

I'm impressed in the detail of the help provided. Thanks

The content is valuable hence the need to protect it form copying and distribution to a million membership sites!

I only want people who pay to see my videos. I have set up a membership site using wordpress and it works fine. Only members will see the pages with the video so that is one level of protection.

However what I would like to acheive is:
(i) not allow downloading of the video to the users PC,
(ii) not allow linking to the video directly
(iii) hide the location of the video files so direct linking will be hard as the address of the video will be hidden, and so forth...

At the moment I am tending towards the streaming route rahar than progressive download as I will have more control as per Liam's post above. Also simplecdn looks like a good option as the viewers will be international.

cheers
Tony

(i) not allow downloading of the video to the users PC, Streaming Fixes This
(ii) not allow linking to the video directly CDN's support accepting reuests from certain IP's only
(iii) hide the location of the video files so direct linking will be hard as the address of the video will be hidden, and so forth... read below


RE your membership site, one thing you might want to consider is amember pro http://www.amember.com/)

I used to use this on a website to handle premium memberships, only I WAS then allowing members to have access to the video files (something you should consider, asking people to pay a membership fee makes them feel like they deserve to download the video files) I also used wordpress to do this (amember pro has a wordpress plugin).

In terms of 'hiding' files to prevent linking, the best method is to have a rotating 'key', however I've yet to talk to simpleCDN regarding if they support any features like this. The usual setup is:

A file on your server is updated every 60 seconds with the new key.

http://www.yourwebsite.com/key/key.txt

The contents of key.txt at one particular time maybe:

BS73BDI2YSVERKUGRJBVWEVJVCBBDJYR3U654635BDHMGV

Then, you would link to files something like:

http://your.account.simplecdn.com/youraccount/BS73BDI2YSVERKUGRJBVWEVJVCBBDJYR3U654635BDHMGV987987.flv

You could block access to the /key/ folder by IP only, so that only your site (interanl) and the CDN can access it. The CDN can then only server up the file "987987.flv" if the correct key has been appended to the beginning.

This sort of solution is much easier to implement if the FMS is your own, however with a CDN it will require some custom solution.

Like I said, I'll be talking to them myself shortly regarding implementing this... However, most CDN's (simple included) can be setup to only accept requests from certain IP's or URLs so the above feature may be overkill.

in my opinion,

an excessive amount of protection will do you no good.
if a user can see the video they can record it.

there are numerous ways to attempt content protection, but they can all be circumvented easily.

better stick w/ what you have now & try some routine obfuscation to keep novices at bay. anyone determined enough & w/ enough technical "know-how" will get your data if they want it.

ok thankhk,

its a question of balance, i'm keen to protect content that I have spent a lot of time developing but at the same time I don't want to have to spend just as must time worrying about theft etc, so with what I have learned so far I think I can find a balance :-)

cheers
Tony

Tony,

I do exactly what you are looking for with WordPress. I am using Amazon S3 for storing my videos.

Amazon has an API that allows you to create expiring authenticated links to content. This means that when the user loads your page, the URL for the video that will play in Flowplayer gets generated on the fly and is only good for a short period of time.

Now, in that period, a savvy user could indeed still go download the content to their machine, but if they look at the page source and simply try to share the link with someone else, that link will expire at your provided interval and they will no longer be able to use it to get anything. The only way to generate a valid link to access the media would be to access your Wordpress membership site.

Wil

this is the default behaviour IF you have set any HTML content inside the player container. When player unloads this is the content that it is resumed to. When there is no content inside the container the Flash component stays there (unless you explicitly return false on

Bit late to this conversation, but I read in Liam's post right at the top that simpleCDN lets you restrict access to requests from certain domains. I'd love to be able to do this but I can't see the option for this in simpleCDN. Am I missing something?

Thanks, Frank

Hi Frank,

I'm in the simplecdn admin panel now. It seems they changed a lot since this was originally posted, and since I last viewed the admin panel.

The only route I see now is to setup the CNAMEs & Virtual Hosting option via the simplecdn upload bucket area. eg, cdn.yourdomain.com then disable hotlinking to the video file type you're currently using via your webserver.

Here's a few examples for apache.
http://altlab.com/htaccess_tutorial.html

This isn't a foolproof setup but it would make it a lot harder for people to paste a direct link to your video in their own player on another site.

Setting up flowplayer to use rtmp would also help a bit by requiring the use of the rtmp protocol and a player that supports it on the site stealing or hotlink your media.

I'm checking out the secure streaming flowplayer plugin now. I'll post the results when I get a minute

Hi Edge

Thanks for your reply. That sounds like a very good solution - I didn't realise you could use that kind of htaccess stuff on a CNAME. Also sounds nice and simple to do, which I like!

What would someone have to do to get round this? If the server is going to send a 403 Forbidden message to anyone other than my server trying to get to my .flv files, why is it still not foolproof?

Thanks again for your help

-What would someone have to do to get round this?

It can be spoofed, but I doubt anyone will do that to simply hotlink something.

Why not use rtmp? That protocol requires a lot more effort than simply pasting a direct http file link into a player.

I'm kinda surprised simplecdn dosen't have a domain limiting option.

Ah ok. I was going to use RTMP, but as far as I understood, this still left it very easy to work out the address of the .flv (at least, the way simpleCDN do it), and just type that addy into your browser to download the file. But it looks like adding the CNAME stuff to it too will be enough protection for what I'm looking for.

Many thanks for all your help!

I've recently implemented something similar to the SimpleCDN, except that I'm using CDNetworks as the content distribution network (they have excellent coverage in Asia).

It's based on the encrypted token technique. This offers two levels of protection. You encrypt a token (which contains several things, like client IP, server IP, timestamp, TTL, etc). Then you append the encrypted token to the URL, so that you have a URL that is only valid for the time interval specified in your TTL. The encryption is done via a COM library DLL they supplied (they have it for various platforms), which I imported to an ASP.NET assembly. The encryption uses Blowfish.

The second level of protection is that even if the token is still fresh (within its Time To Live), if the URL has been used before, it won't work a second time. So someone hits the page, which autobuffers the video via RTMP. This caused the request to be made using the encrypted token, and CDNetworks stores that in a temporary list of banned URLs. If the user copies the RTMP streaming endpoint, including the encrypted token, from the page source, it won't work (it's already been used).

Obviously, this doesn't protect you from someone holding a video camera to the screen, nor does it prevent auto background recording techniques (like Tunebite), but it certainly prevents hotlinking, which is perhaps a worse form of theft, because it costs you the bandwidth.

Regards,
Mike Sharp

Hi Mike

Thanks for that. I'm going to talk with my client about what level of protection they need. It might be that using RTMP and disabling hotlinking for the CNAME is enough in this case, but if they want the works, I'll definitely look at into the token thing.

Thanks, Frank

Let me know if you need further info. I can hook you up with CDNetworks, but it was remarkably easy to implement, even in SharePoint. Just a few lines of code to gather the stuff I needed, and one call to their COM library function:

    Ikeygen authobj = (Ikeygen)Context.Server.CreateObject("keygen4.keygen");
    string _encryptedToken = authobj.GetCode(
        originalUrl,
        Context.User.Identity.Name,
        TTL,
        Context.Request.UserHostAddress, 
        serverIp,
        _privateKey);

    _encryptedStreamingEndpoint = string.Format("{0}?key={1}", _encryptedStreamingEndpoint, _encryptedToken);

My email is my username on this forum, at hotmail.

Regards,
Mike Sharp

Thanks Mike. I'll take a look at CDNetworks. Can't seem to see anything about pricing on their site, but will email them to see what it would cost. Cheers!

Hi,

It just shows, a year ago SimpleCDN were rolling out token protection... and a year later it still isn't openly available!

We use them as they're still the cheapest and simplest around but every client we've had who wanted security has ended up using a different (though much more expensive) CDN.

@rdcpro - I am also on CDNetworks. I have added the URL Tag Validation as you mentioned in your post. NOw that I have added it, Flowplayer seems to break. Im guessing it doesn't like the extra parameters after the .mp4 extension. Any ideas about what to do? I really need to lock done the file to prevent unauthorized downloading. Below is what mu url looks like.

http://data.sitename.com/folder-name/video/file-name-2010-09-16.mp4?px-hash=10464b95131f5ba7838bb0f65c8b69a1&px-time=1297288363

Hi Lima

I read the post from the begining so you saying through the simpleCDN - we can protect the videos am I right ?

the user not able to download a videos, videos links, video files ..

so If the user has Download Manger he / She can steal the videos na through the Download Manager ??

If I start one video, then click on another, they both play at the same time. I'd like the first one to stop when the second video is clicked. I'm using the current flowplayer 3.0.2.