Protecting video on my site?

Question

Hi,

I'd like to host a video on s3. I would like to 'embed' it in a page within my site, like:

http://example.com/demo.html
   <video>the video</video>

I'm not sure how to embed a video player and point it to the url hosted at s3, I've only used the youtube api player for that, but this is probably possible.

The issue I'd like to know about, is if there is a way to block people from viewing the video once they know what the url of the video resource is? For example, if I find the url of a picture on a web page, I can copy its url and view it directly in a browser. Is there a way to stop that? I want people to only see the video if they're viewing it from that specific page. The larger plan is to only show the video to members that have created an account with my website. The vimeo api looked promising but is for non-commercial use only, so seeing if this is possible with s3,

Thanks

Answer 1

It's a bit of a cat and mouse game, there's a Firefox extension: "DownloadHelper" that grabs video from most embedded sources. If it's important people aren't able to take the video and do what they please, you may want to look into some manner of DRM, but that's also not bullet proof, and might be overkill in this case.

Answer 2

If you own the server, you can do things like serve the video at a URL that is only temporarily valid (expires with the HTTP session or after 5 minutes or something). However, since you are serving off of S3, which you have zero control over, that kind of technique is unavailable. Beyond that, an S3 URL is a good old fashioned URL which, if it is reachable by the video player, is reachable any other way as well...

Answer 3

I have not used s3 so I dont know the specifics, but what I would do is have a client side Silverlight/Flash player that can stream from a URL referencing a video file(checkout the MediaPlayer element if you want to use Silverlight), then that should connect to a generic handler on your webserver that will serve the content from s3 as if it actually had the content. Once you had that working you could integrate the handler in with your current security(sessions etc) to check that they are logged in. A generic handler is an ASHX file, written in .NET thats very flexible. Recently I needed to track bandwidth usage for an image - I wrote a handler that would add to a counter in the SQL db, then serve the image by setting the contenttype. So the user would load http:www.mydomain.com/pichandler.ashx?file=grrr.jpg and it would produce an image as if they went directly to the image.

p.s. The solution im talking about would need knowledge of .NET - I dont know what language you will be using.

Answer 4

Hi,

you can use Bucket Policies feature to protect files from leeching.

Here is an example of bucket policy that allows you to prevent hotlinking:

{ 
        "Version":"2008-10-17", 
        "Id":"preventHotLinking",

        "Statement":[ { 

            "Sid":"1", 
            "Effect":"Allow",
            "Principal": {
                "AWS":"*"
            },

            "Action":"s3:GetObject",
            "Resource":"arn:aws:s3:::your.bucket.name/*",

            "Condition":{

                "StringLike": { 

                    "aws:Referer": [
                        "http://yourwebsitename.com/*", 
                        "http://www.yourwebsitename.com/*"
                    ]
                }
            }
        }]
}

But don't forget to replace your.bucket.name with your actual bucket name and yourwebsitename with your web site name.

You can view and edit Bucket Policies with S3 Browser Freeware. You can find more Bucket Policies examples here.