views:

3771

answers:

8

Is it possible to protect flv files from download? I'd like to protect my files from download but I don't have the money for a streaming server which I think provides some sort of protection. The files are streamed via PHP and are located in an upload folder on my server.

I've used PHP to ensure that only subscribers can view the video but I basically want to go a step further and prevent subscribers from, upon login, downloading my videos with downloaders such as Sothink Flv Downloader for Firefox.

+3  A: 

The short version is that DRM (in any form) is an arms race, If I can play it, I can steal it. The only question is how hard is it.

Personally, I don't think DRM is a good idea. In the long run, it's not going to help because people who steal it, will steal it no mater what you do and those who don't will be inconvenienced by it even so.

http://xkcd.com/488/


That said, stealing it is also not a good idea and you should have the right to control what you produce. (However I don't know how to do that)


The only answers I can think of for this are: 1) start selling something that can't be stolen or 1) make it easier to buy then steal. The first amounts to Pandora-for-fee/Netflix-for-music (but with something like a CC license on major label songs). The second isn't even a music industry problem but a financial industry problem; how to make online payments easy and safe for both side without screwing over either the buyer or the seller.

BCS
Maybe XKCD should be added to the auto search thing :p
BCS
+5  A: 

You can't. Any effort or money that you spend chasing DRM will be a waste of resources that you could have put into improving your product. Put your logo and URL into the videos, so that anyone copying them is advertising your site, put a copyright notice into the videos and sue anyone who you catch copying your content illegally, and call it a day.

Glomek
+7  A: 

There is no way to add DRM protection (i.e. encryption) to static FLV files - anyone who knows the URL can simply download them, or (in some cases) get them out of their browser's cache, and then play them in any supporting player. (However, you can probably prevent people from embedding your content in other sites - google "Hotlinking protection".)

Streaming your FLVs can be done for free with OSS like Red 5. This doesn't offer "DRM" protection per se, but it does send the video in a file stream, so there is no single file for the user to download and save. It's still possible for the user to capture the file with certain programs, but it's much more inconvenient.

As for "real" DRM, the only solution I'm aware of is Adobe Flash Media Rights Management Server. I've never used it, but apparently it will stream DRM-encrypted FLV or MP3 content, and enable you to apply the usual sorts of DRM restrictions.

fenomas
Voted down for giving technical information instead of telling the asker to give up? @_@
fenomas
DRM is a fracking nightmare to implement, consumes dramatically more resources than non-DRM solutions, and frequently drives the user crazy. If it was a worthy technology we'd see it all over the net.
Stu Thompson
+2  A: 

Have you thought about hosting your video on Amazon S3? you can set urls for your videos to expire so that the link to the video will only be valid for certain period of time. This doesn't prevent anyone from getting the video from their cache once it has downloaded nor does it prevent other ways such as using Orbit downloader, or RealPlayer video downloader but it would prevent hotlinking.

I agree with comments that this is an arms race and a strategy for video delivery that accepts that people do want to download videos to share or copy to other devices etc and tries to live with it will probably be the most successful and pain free. Watermark, embed links to your site, try to capitalise on the increase in the number of eyeballs watching your video as a result of being downloadable.

undefined
+14  A: 

I fully agree with the DRM consensus of other answers. But would like to add...

There are a couple of obfuscation techniques that may meet you needs. "Good enough", as they say. These aren't full proof mechanisms, but very well may prevent 80%-99% of people trying to copy your FLV streams/files. A dedicated hacker will get to it, but most folks are just script kiddies (or their FireFox plug-in loving cousins.) Plus, some of these techniques are really easy:

  • Change/remove the MIME type the server is responding with. Flash players blissfully ignore it anyway. E.g.: image/jpeg
  • Change the file extension from .flv to something else, like .jpg. Again, Flash players blissfully ignore it anyway. Additionally, once the file is saved to disk, a non-FLV player will open it (and complain about it being an invalid file format.)
  • Set aggressive 'don't cache' headers for all your FLV content. (This, naturally, means more traffic and bandwidth consumed. Maybe this is not an issue for you?)
  • Stream over UDP-based protocols (like RTSP). While my read is that UDP protocols are on the way out for large scale streaming of on demand content, it is much more difficult to copy. E.g.: Real Downloader cannot currently pilfer these streams.
  • Break up content into two or more pieces of partial content, and play them back to back.
  • Hide your FLV content behind a simple, custom one-time authentication mechanism
    • Player requests authorization key for content A
    • Server returns an authorization1 key: SHA1(content key + salt1)
    • Server stores content key, authorization1 key, authorization2 key (which is SHA1(authorization1 + salt2))
      • one time use
      • limited validity (E.g.: 2 seconds)
    • Player creates authorization2
    • Player requests content a with authorization2
    • Server sends ´FLV´ content to client if and only if
      • authorization key matches to content key in server side store
      • authorization key has not expired

I've actually implemented that last idea, the authorization mechanism, myself and can vouch for it's practical effectiveness. No, it is not totally secure. But it is good enough. Not even a power users is capable of beating it.

Defeating it requires

  1. reverse engineering the process,
  2. decompiling your Flash player,
  3. putting it all back together again.

Good enough.

Stu Thompson
+1  A: 

sites like youtube try to make it difficult to download their videos by obfuscating the flash and also changing the structure every so often. As others have said it is an arms race. Youtube updates their structure and then tools like pytube have to also update.

Plumo
A: 

Have a look to this analysis from Longtail.

It starts with a golden rule:

Anyone who can watch your video can steal your video.

And it ends up with a really nice series of security concerns and prevention techniques.

Roberto Aloi
A: 

No protection can beat a simple use of WireShark + NetMiner.

Period.

Oh and by the way, about youtube, if you use Chrome, check out this extension:

http://goo.gl/Wxoq It just creates a download button under youtube videos ;)

Zibri