views:

109

answers:

4

I'm starting a blog with a hosted wordpress instance and i would like to be able to stream music using a flash player on some posts.

The problem is that every player i find uses a simple param to get the file url which makes it very easy for someone to find that url and just download the file. I know that it's probably impossible to prevent this all together, but i at least don't want it to be obvious.

A server side solution can be implemented as i have full access to the server.

A: 

There is pretty much nothing you can do to prevent someone downloading your file if they really want to.

However obfuscated you make the delivery mechanism, at the end of the day the music has to be decrypted and played on the end-users' machine and from that point it is easy enough to capture one way or another.

This is the exact DRM struggle the music industry has tried to solve and ultimately failed on with the switch-over to vanilla MP3 format in most (all?) the online music stores.

Paolo
I understand that it's always possible to download the music. I just want to prevent it from being obvious.
Hugo Palma
+1  A: 

When you download .flv files with flash they are in your /tmp/ folder (or whatever your crazy OS uses for temp data). Most flash players are "vulnerable" to this.

Most flash music players will first send an HTTP request saying "Hey, I want this file can I have a token?" This token is then used to authorize the music download. This makes it so you can't have some easy to forge get/post request to download the file, you actually have to simulate a protocol interaction which most children can't do. Most public "hacks" don't even use a browser, they just simulate the behavior of a browser and ignore any "security though obscurity" measures you put in place. Most children love these downloaders.

Although it is trivial to decompile most flash applications an attacker is going to look at network traffic because its a lot easier. Tamperdata defeats a system of "transactions". In fact I have never seen a protection system like this that can't be defeated with Tamperdata. You let the Flash player make the request for the token, then the next request for a mp3/flv file can be intercepted and then dropped. You can then replay this request and download the file normally.

This is a "client side trust" issue and THERE WILL NEVER BE A SOLUTION. But it looks like you know that and you are looking for security though obscurity.

Rook
+3  A: 

From the sound of this question, it sounds like you are more interested in preventing "hotlinking" to save bandwidth.

http://www.cyberciti.biz/faq/apache-mod_rewrite-hot-linking-images-leeching-howto/

This link above is one such site, which will explain how to prevent hotlinking via checking the "referrer" that the browser sends with a http request. Basically if the user is linking to the file from another site that isn't "yours" then it can replace or throw up an error message telling the user that hotlinking isn't allowed.

However do keep in mind that the user still can go to your site, then dig through the html and extract your link to the music file and then proceed to download it normally. But this solution should stop "others" from stealing your bandwidth for the music file.

Pharaun
to be honest i don't see this as being very helpful. I don't think that this type of activity will ever even come close to hitting your bandwidth cap. This is very 1999.
Rook
@The Rook - This may be true for low traffic sites, however a "Full" mp3 song is ~3.5Mb, and I have a vps server that only supplies me with 200gb/month of bandwidth, and say the site is hit by Slashdot (~hundreds to thousand hit a sec?) the bandwidth would be gone in ~58 seconds to ~10 minutes... Now odds of this happen is pretty low but eh.
Pharaun
A: 

I've solved this by not allowing hot linking using this guideline.

Hugo Palma