I want to be able to deliver music/mp3 using a flash player but I'd like to make it so that the mp3 files cannot be sniffed... i.e. you can't use safari, firebug..etc. to find out the mp3 location using the activity window. I don't have a streaming server. Any idea?
If I go with a streaming server, any suggestions on how to go about it (cheaply)?
This is more or less impossible. Since the client can connect, it must know the address. You're looking to obscure the source, but you can't hide it completely, and I suppose the easiest way would be to use some kind of browser plugin, flash and java comes to mind (as you've suggested), which asks a server for the address. Note that it's still very much possible to analyze the flash or java program, as the browser still needs to download the .swf file.
A different approach would be to use a single-use URL, where server serves up a URL which can only be used once. It's still 'sniffable' and can still be exploited if it's intercepted before the client connects though.
If you're delivering an mp3 to the user's computer, you're delivering an mp3 to the user's computer. I guess you can try encryption of some sort to make it harder to recover the MP3, but if the user's computer can play it, it can also take those same bits and save them off to disk before playing them.
You really cannot distinguish safely clients in HTTP. When they record the whole traffic, they always can replay the interaction, unless you use some cryptographic mechanisms.
As an easy approach, I would try to allow requests only in combination with an access key. The access key is created by yourself and send to the browser as a parameter of the URI. When the clients sends the request, it is only valid if the provided access key is valid as well. Within the access key, you could encode some information like IP address, time range, user agent etc.
But as I said, there is no 100% secure way to protect your data, as long as you eventually expose it via HTTP. There is always the hardcore approach to sniff your whole traffic and rebuild the files that way.
Access keys are used by Amazon S3, but there are also plugins for webservers like nginx.
It's not really possible to conceal the URL without using some sort of closed technology like Flash. An alternative you can use is to keep your MP3s in a password-protected directory but stream them to the browser via a server-side script that bypasses that protection. That way, even if someone knows the URL of an MP3 file, they can't download it by simply entering its address in their web browser.
Go for streaming, or it's impossible. Firebug, Opera's Dragonfly, etc. show all HTTP requests run by the browser, there is no way to hide them. I download media from "within" flash regulary (YouTube, for example), and it works every time, except with streaming, because that's not HTTP.
You can use a 2-way encryption.
You pass encrypted URLs to the audio player then have the player reverse-encrypt them. Not 100% secure but it could help.