Re: [PHP] How to secure Flash Video? [Solved?]
Tedd, As Casey noted, there's no totally secure methodolgy, but your's is close enough - everything is wrapped in the Flash movie, so even if the movie is sent on to someone else, that someone has to be approved. We've been doing something similar for several years now, validating against a database and when validation succeeds, issuing a key stored in the database and as a Flash (ach, can't remember the name, but Flash's equivalent of a cookie.) As for people wanting total security - unplug everything and go split wood. Most security breaches are internal, and usually all that's necessary is to keep honest people from straying down the wrong path. Cheers - Miles On Jan 5, 2008 1:16 AM, tedd [EMAIL PROTECTED] wrote: Hi gang: Here's my logic, so what's wrong with it? My sole concern here is to protect a Video from being stolen and/or being viewed remotely while allowing approved users to view it. It is a fact that anything you present to a user is theirs. There's no stopping them from downloading a Video if they have permission to do so. In fact, that's exactly what they do when they view a Video -- they can't view it in their browser unless their browser has it. Now, I have investigated several ways to protect videos and prevent caching. Some methods are very complex -- but complexity does not always guarantee security. Complexity is more likely to present problems in its application. Sometimes the simplest method is best. The simplest protection method I can think of can be done by using Flash Video Actionscript in concert with php/mysql. It's a simple matter to have the Video run the following prior to displaying: theXML.load(http://example.com/security.php) That's similar to a javascript onload function. Upon loading the Video, the Video will run the script security.php which in-turn will check to see if an approved user is attempting to view the Video. This done by simply checking a user-id session variable in the script that delivers the Video. If that session variable (user-id ) is empty, then the security.php returns nothing. If that session session is not empty, then the script will check the user-id against the database to see if the user has permission to view the Video. If the user does not have permission, then the security.php script returns nothing. If everything checks, then the security.php script will return a key and the Video will check that key against an internal key -- if a match is made, then the video plays. Now, please note that this will also prohibit the user, even after paying for the Video, from downloading the Video for future plays because the Video will always check for a key. Even if the user downloads the Video and takes the Video to a remote player, the Video will still try to run the security script seeking a key. If the security script is not there, then it fails. Even if the user figures out that the Video requires a key, the still user has no way to determine what that internal key is. So, I think this will work. What say all of you? Where have I screwed up? And, please no one liners that solve the entire mess and make me look like a fool. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to secure Flash Video? [Solved?]
Hi gang: Here's my logic, so what's wrong with it? My sole concern here is to protect a Video from being stolen and/or being viewed remotely while allowing approved users to view it. It is a fact that anything you present to a user is theirs. There's no stopping them from downloading a Video if they have permission to do so. In fact, that's exactly what they do when they view a Video -- they can't view it in their browser unless their browser has it. Now, I have investigated several ways to protect videos and prevent caching. Some methods are very complex -- but complexity does not always guarantee security. Complexity is more likely to present problems in its application. Sometimes the simplest method is best. The simplest protection method I can think of can be done by using Flash Video Actionscript in concert with php/mysql. It's a simple matter to have the Video run the following prior to displaying: theXML.load(http://example.com/security.php) That's similar to a javascript onload function. Upon loading the Video, the Video will run the script security.php which in-turn will check to see if an approved user is attempting to view the Video. This done by simply checking a user-id session variable in the script that delivers the Video. If that session variable (user-id ) is empty, then the security.php returns nothing. If that session session is not empty, then the script will check the user-id against the database to see if the user has permission to view the Video. If the user does not have permission, then the security.php script returns nothing. If everything checks, then the security.php script will return a key and the Video will check that key against an internal key -- if a match is made, then the video plays. Now, please note that this will also prohibit the user, even after paying for the Video, from downloading the Video for future plays because the Video will always check for a key. Even if the user downloads the Video and takes the Video to a remote player, the Video will still try to run the security script seeking a key. If the security script is not there, then it fails. Even if the user figures out that the Video requires a key, the still user has no way to determine what that internal key is. So, I think this will work. What say all of you? Where have I screwed up? And, please no one liners that solve the entire mess and make me look like a fool. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to secure Flash Video? [Solved?]
On Jan 4, 2008 9:16 PM, tedd [EMAIL PROTECTED] wrote: Hi gang: Here's my logic, so what's wrong with it? My sole concern here is to protect a Video from being stolen and/or being viewed remotely while allowing approved users to view it. It is a fact that anything you present to a user is theirs. There's no stopping them from downloading a Video if they have permission to do so. In fact, that's exactly what they do when they view a Video -- they can't view it in their browser unless their browser has it. Now, I have investigated several ways to protect videos and prevent caching. Some methods are very complex -- but complexity does not always guarantee security. Complexity is more likely to present problems in its application. Sometimes the simplest method is best. The simplest protection method I can think of can be done by using Flash Video Actionscript in concert with php/mysql. It's a simple matter to have the Video run the following prior to displaying: theXML.load(http://example.com/security.php) That's similar to a javascript onload function. Upon loading the Video, the Video will run the script security.php which in-turn will check to see if an approved user is attempting to view the Video. This done by simply checking a user-id session variable in the script that delivers the Video. If that session variable (user-id ) is empty, then the security.php returns nothing. If that session session is not empty, then the script will check the user-id against the database to see if the user has permission to view the Video. If the user does not have permission, then the security.php script returns nothing. If everything checks, then the security.php script will return a key and the Video will check that key against an internal key -- if a match is made, then the video plays. Now, please note that this will also prohibit the user, even after paying for the Video, from downloading the Video for future plays because the Video will always check for a key. Even if the user downloads the Video and takes the Video to a remote player, the Video will still try to run the security script seeking a key. If the security script is not there, then it fails. Even if the user figures out that the Video requires a key, the still user has no way to determine what that internal key is. So, I think this will work. What say all of you? Where have I screwed up? And, please no one liners that solve the entire mess and make me look like a fool. Cheers, tedd I'm not sure if you mean FLV's or SWF's. If you mean FLV's loaded from SWF's, the browser can cache the FLV, and the user can later retrieve it. If you mean SWF's, there are extractors out there. In other words, it's not really possible to completely secure these videos, but this is a fairly good solution, as I see it. -- -Casey -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
