views:

63

answers:

3

I've been scouring the Net for hours looking for a solution with with only partial and non-functioning solutions to show for my efforts.

The solution below seemed like a great fix at first but it also blocks my flash player from accessing the files. Could I only allow access from particular pages?:

< Files ~ "...">
order allow,deny
deny from all
< /Files>



The solution below seemed great at first because it didn't allow people to view the files in the directory but if the user knows the exact url of the music file, they can download it:

SetHandler application/x-httpd-php
SetHandler application/x-shockwave-flash

Now, I came across this post that forces a user to produce a username and password using htaccess but I dialog box pops up when on the flash player screen. Is there a way for the page the send the login info without the user doing anything?



If this isn't a secure method, can someone suggest a secure and relatively straight-forward method of implementing this restriction feature? URLs and examples would be greatly appreciated

P.S. This is a WordPress site, hence, I'll be using PHP as a programming language to implement any solution.

P.S. Looking to block novices from downloading, NOT hackers/crackers/internet wizards.

Thanks

A: 

Someone will always be able to appear as though they are running flash and be able to download your music. TamperData can be used to see all traffic the browser produces (including flash), and have the ability to replay, intercept and modify all requests. Flash is easy to decompile, but this probably isn't necessary.

The only thing you can do is to raise the bar and to prevent direct linking to your content. You can do this by using PHP to restrict access to the media. Put all of the media outside of the web root, or protect the directory with a .htaccess deny from all. Have the flash application first send a "request to download", give the flash app a temporary single use token (cryptographic nonce). This token is then used in the next request to download the music from a PHP file. This is easy to fool, but its the best you can do.

Rook
I know that from it's on the Internet it can never be truly secure but I'm targeting the typical techie user who might see the location playlist.xml file and browse it, open it and then go the mp3 file urls included. I'm NOT looking to block the hackers and crackers out their in the wild west.
Julian
@Julian I'm talking about defending against children, the most simple of attacks. It is trivial to intercept traffic and to decompile flash applications. You can obtain a truly secure server, but this service is inherently flawed. What i have suggested is what major vendors music vendors like bleep use.
Rook
@Julian also don't use words like "cracker" and "wild west". You are getting the facts from a very skilled white hat hacker.
Rook
+2  A: 

Since PHP is available, use it to protect the files. Don't have them in them in the web root, but somewhere that is accessible to PHP. Then generate a one-time-use URL like:

<?php
  $unique = md5( uniqid() );  // 32 hex characters
?>

Then store that unique value in the session/server/db and have another page validate the unique string prior to streaming the file:

<a href="streamer.php?id=6dd4566eb245627b49f3abb7e4502dd6">Stream Me</a>

Be sure to expire that unique token after the first use (or maybe after a few times if you are feeling generous). It won't stop the die-hards from capturing the HTTP stream anyway, but it should prevent casual linking.

Goyuix
-1 uniqid() alone is a very weak random number and not meant to stop attacks. Further more md5() does not make the value more random. Other than that this is nearly identical to my post but contains less information.
Rook
@Rook: I wrapped uniqid() in an md5() call to ensure the output characters are all URL friendly - not to enhance the cryptographic security. It may be totally unnecessary. And while uniqid() may be weak, it is probably "good enough" in this case to stop direct linking. If you can improve on the information/examples provided please add it to your answer and let it get up-voted.
Goyuix
+2  A: 

As The Rook points out, you can't have it both ways. You can't both give and not give your users access to your data. No matter how complex your authentication scheme becomes, competent users will always be able to bypass it because in order for the Flash player to function they must have credentials. Personally, I think the correct solution is to recognize that you can't prevent a determined user from saving your content and just let them. If you insist on making it more difficult, what solution is right for you will be determined by what segment of users you want to be effective against and how much work you're willing to put into implementation.

A simple solution would be to generate a one-time key each time you serve a viewer page and then serve the content through a PHP script that checks it. That way the user at least has to load the viewer page for the content they want and examine its source to extract the key instead of just putting a URL in their browser's address bar. However, if your site becomes at all popular someone will probably make available a script that does that automatically. For example, see youtube-dl, a Python script that downloads YouTube videos.

In your post you mention password protecting the files with Apache. It may be possible to have the Flash player application submit HTTP authentication, but I doubt that any existing players support that and modifying one to do so would require both the sources and experience with ActionScript. Any solution that will survive such trivial attacks as reading the page source is likely to require modifying the player.

Sam Hanes
My apologies for the redundancy. I wasn't getting the usual "someone else sumbitted an answer / edited their answer" notifications while composing this.
Sam Hanes