Re: [PHP] How to secure Flash Video? [Solved?]
Tedd, As Casey noted, there's no totally secure methodolgy, but your's is close enough - everything is wrapped in the Flash movie, so even if the movie is sent on to someone else, that someone has to be approved. We've been doing something similar for several years now, validating against a database and when validation succeeds, issuing a key stored in the database and as a Flash (ach, can't remember the name, but Flash's equivalent of a cookie.) As for people wanting total security - unplug everything and go split wood. Most security breaches are internal, and usually all that's necessary is to keep honest people from straying down the wrong path. Cheers - Miles On Jan 5, 2008 1:16 AM, tedd [EMAIL PROTECTED] wrote: Hi gang: Here's my logic, so what's wrong with it? My sole concern here is to protect a Video from being stolen and/or being viewed remotely while allowing approved users to view it. It is a fact that anything you present to a user is theirs. There's no stopping them from downloading a Video if they have permission to do so. In fact, that's exactly what they do when they view a Video -- they can't view it in their browser unless their browser has it. Now, I have investigated several ways to protect videos and prevent caching. Some methods are very complex -- but complexity does not always guarantee security. Complexity is more likely to present problems in its application. Sometimes the simplest method is best. The simplest protection method I can think of can be done by using Flash Video Actionscript in concert with php/mysql. It's a simple matter to have the Video run the following prior to displaying: theXML.load(http://example.com/security.php) That's similar to a javascript onload function. Upon loading the Video, the Video will run the script security.php which in-turn will check to see if an approved user is attempting to view the Video. This done by simply checking a user-id session variable in the script that delivers the Video. If that session variable (user-id ) is empty, then the security.php returns nothing. If that session session is not empty, then the script will check the user-id against the database to see if the user has permission to view the Video. If the user does not have permission, then the security.php script returns nothing. If everything checks, then the security.php script will return a key and the Video will check that key against an internal key -- if a match is made, then the video plays. Now, please note that this will also prohibit the user, even after paying for the Video, from downloading the Video for future plays because the Video will always check for a key. Even if the user downloads the Video and takes the Video to a remote player, the Video will still try to run the security script seeking a key. If the security script is not there, then it fails. Even if the user figures out that the Video requires a key, the still user has no way to determine what that internal key is. So, I think this will work. What say all of you? Where have I screwed up? And, please no one liners that solve the entire mess and make me look like a fool. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] How to secure Flash Video?
Hi gang: Here's the problem. I have a client who has Flash Videos and wishes to rent these Videos out for a certain time period. (No, it's not porn -- shame on you). I have written the code and have NO problems with registering the user, having the user pay, and managing user's time to allow viewing the video. That's all been solved. However, once the user is provided with a url where the Flash Video resides, then the user can view the video remotely by just creating a page that references that url -- that's easy to do. Now, how can I stop that from happening? I have some ideas, but would like to hear what greater minds have to say. :-) Thanks in advance for all replies. tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to secure Flash Video?
On Fri, 2008-01-04 at 12:58 -0500, tedd wrote: Hi gang: Here's the problem. I have a client who has Flash Videos and wishes to rent these Videos out for a certain time period. (No, it's not porn -- shame on you). Bah! I have written the code and have NO problems with registering the user, having the user pay, and managing user's time to allow viewing the video. That's all been solved. However, once the user is provided with a url where the Flash Video resides, then the user can view the video remotely by just creating a page that references that url -- that's easy to do. Now, how can I stop that from happening? Use a URL that maps to a PHP script. Have the PHP script check that they are logged in. If not, redirect to login. If they are logged in, then flush the flash object to their browser with appropriate headers. Cheers, Rob. -- ... SwarmBuy.com - http://www.swarmbuy.com Leveraging the buying power of the masses! ... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to secure Flash Video?
At 1:08 PM -0500 1/4/08, Daniel Brown wrote: On Jan 4, 2008 12:58 PM, tedd [EMAIL PROTECTED] wrote: Now, how can I stop that from happening? You could do link expirations with an auto-generated URL to mask the actual location, or could even create a dynamic symlink or copy on the server itself. Have it expire and regenerate a new link every 15 minutes. ??? You lost me at You could do.. You have an example? Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to secure Flash Video?
On Jan 4, 2008 1:30 PM, tedd [EMAIL PROTECTED] wrote: At 1:08 PM -0500 1/4/08, Daniel Brown wrote: On Jan 4, 2008 12:58 PM, tedd [EMAIL PROTECTED] wrote: Now, how can I stop that from happening? You could do link expirations with an auto-generated URL to mask the actual location, or could even create a dynamic symlink or copy on the server itself. Have it expire and regenerate a new link every 15 minutes. ??? You lost me at You could do.. You have an example? Not really, but I do have theory in explanation: 1.) Links are generated to the videos based on a cron that runs every 15 minutes. The links can either be generated for each individual, or can be generated for the server as a whole. While the former is more secure, the latter is much more prudent and takes far less resources. Chances are, a global re-address should suffice. 2.) The generated links are stored in a database, and are called when a page loads. See the postscript for one possible point of interest related to this. 3.) The user clicks the generated link, which is a mask to the actual file. The user does not see the actual file, however, as this is where Rob's idea of flushing the file through the buffer comes into play. The file is `read` through the buffer to the client. ALTERNATIVE 1: The cron can create symlinks on the server to the original files to be used either under the user's directory (to which they, and only they, have access), or done globally. ALTERNATIVE 2: Physically copy the files into the user directory, and have them renamed or removed from the directory on a schedule. This will allow you to halt access should the files be hotlinked. Conversely, you can do what I've done over the years: when you detect that someone is displaying an image on their page that resides on your server, eating your bandwidth, you replace it with something undesirable. For example, I had a wannabe tough-guy on MySpace displaying a graphic from one of my sites (militaria) on his profile. It was a rather large graphic that was sucking down about 50MB per day. I replaced it with a cute graphic announcing how much he enjoyed Pokemon, and the linking stopped within about 48 hours. So there are plenty of viable methods choosing which works best in your situation is the key. P.S. - In Step 2, keep in mind that, if a page is loaded and a link not clicked prior to the next run of the cron (and subsequent generation of links for the client to receive), the links will cause 404 errors. One solution would be to maintain a key in the database, with one or two rows of previously-generated links. This will allow a minimum of 16 minutes (on two rows) to a maximum of 44 minutes (on three rows). The $_SESSION['key'] (or ?key=) variable is looked up in the database when the link is clicked, and PHP determines how to translate the link. If it's not found, the session has been active and idle for too long, and times out. This is another recommended layer of security for any user area, of course, because there should be no Good Reason[tm] that anyone would be staring blankly at a page for 44 minutes. If they simply forgot about the session, then they can suffer the consequences and take the 30 seconds (or less) required to log in again. -- Daniel P. Brown [Phone Numbers Go Here!] [They're Hidden From View!] If at first you don't succeed, stick to what you know best so that you can make enough money to pay someone else to do it for you. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to secure Flash Video?
On Fri, 2008-01-04 at 13:29 -0500, tedd wrote: At 1:09 PM -0500 1/4/08, Robert Cummings wrote: On Fri, 2008-01-04 at 12:58 -0500, tedd wrote: Hi gang: Here's the problem. I have a client who has Flash Videos and wishes to rent these Videos out for a certain time period. (No, it's not porn -- shame on you). Bah! I have written the code and have NO problems with registering the user, having the user pay, and managing user's time to allow viewing the video. That's all been solved. However, once the user is provided with a url where the Flash Video resides, then the user can view the video remotely by just creating a page that references that url -- that's easy to do. Now, how can I stop that from happening? Use a URL that maps to a PHP script. Have the PHP script check that they are logged in. If not, redirect to login. If they are logged in, then flush the flash object to their browser with appropriate headers. Rob: I have all of that logic in place now. Then what is the problem? or do you mean you don't ant the same user to view the item while logged in at some point in the future? If so then use a GET parameter (MD5 or SHA1 should suffice) that maps to a DB entry that indicates expiration time. Cheers, Rob. -- ... SwarmBuy.com - http://www.swarmbuy.com Leveraging the buying power of the masses! ... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to secure Flash Video?
At 1:09 PM -0500 1/4/08, Robert Cummings wrote: On Fri, 2008-01-04 at 12:58 -0500, tedd wrote: Hi gang: Here's the problem. I have a client who has Flash Videos and wishes to rent these Videos out for a certain time period. (No, it's not porn -- shame on you). Bah! I have written the code and have NO problems with registering the user, having the user pay, and managing user's time to allow viewing the video. That's all been solved. However, once the user is provided with a url where the Flash Video resides, then the user can view the video remotely by just creating a page that references that url -- that's easy to do. Now, how can I stop that from happening? Use a URL that maps to a PHP script. Have the PHP script check that they are logged in. If not, redirect to login. If they are logged in, then flush the flash object to their browser with appropriate headers. Rob: I have all of that logic in place now. My question was specifically how to stop a remote viewer from viewing the video once the url is known. I think Daniel answered it by disabling hot-linking. I just need to test it. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to secure Flash Video?
On Jan 4, 2008 12:58 PM, tedd [EMAIL PROTECTED] wrote: Hi gang: Here's the problem. I have a client who has Flash Videos and wishes to rent these Videos out for a certain time period. (No, it's not porn -- shame on you). I stopped reading at this point, due to lack of interest. Then I started again. However, once the user is provided with a url where the Flash Video resides, then the user can view the video remotely by just creating a page that references that url -- that's easy to do. Now, how can I stop that from happening? You could do link expirations with an auto-generated URL to mask the actual location, or could even create a dynamic symlink or copy on the server itself. Have it expire and regenerate a new link every 15 minutes. To stop people from remotely-linking the video, disable hotlinking of that file (or type) in Apache. -- Daniel P. Brown [Phone Numbers Go Here!] [They're Hidden From View!] If at first you don't succeed, stick to what you know best so that you can make enough money to pay someone else to do it for you. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to secure Flash Video?
At 1:54 PM -0500 1/4/08, Robert Cummings wrote: On Fri, 2008-01-04 at 13:29 -0500, tedd wrote: Rob: I have all of that logic in place now. Then what is the problem? or do you mean you don't ant the same user to view the item while logged in at some point in the future? If so then use a GET parameter (MD5 or SHA1 should suffice) that maps to a DB entry that indicates expiration time. Cheers, Rob. Rob: I'm sorry, I must not explaining it well. I have all the code in place to manage viewers. What I'm asking is how to stop someone who isn't authorized to view a video after they know the url. For example, let's say a person pays and has access to the video for some period of time. Later his time runs out and if he returns to the site and tries to see the video again, he can't because he has to pay again. No problem, I have all that worked out. However, let's say the user pays, views the video, makes a note of the url, and his time runs out. What's to stop him from viewing the video again by just entering the url? That's what I'm asking -- I think Daniel's suggestion to prohibit hot-linking may work. I just need to test. Also, Daniel has provided me with some other code that is going to take me a while to test. Thanks for your time. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to secure Flash Video?
On Fri, 2008-01-04 at 14:43 -0500, tedd wrote: At 1:54 PM -0500 1/4/08, Robert Cummings wrote: On Fri, 2008-01-04 at 13:29 -0500, tedd wrote: Rob: I have all of that logic in place now. Then what is the problem? or do you mean you don't ant the same user to view the item while logged in at some point in the future? If so then use a GET parameter (MD5 or SHA1 should suffice) that maps to a DB entry that indicates expiration time. Cheers, Rob. Rob: I'm sorry, I must not explaining it well. I have all the code in place to manage viewers. What I'm asking is how to stop someone who isn't authorized to view a video after they know the url. For example, let's say a person pays and has access to the video for some period of time. Later his time runs out and if he returns to the site and tries to see the video again, he can't because he has to pay again. No problem, I have all that worked out. However, let's say the user pays, views the video, makes a note of the url, and his time runs out. What's to stop him from viewing the video again by just entering the url? It's simple, the URL should NOT directly point to the flash. It should point to a PHP wrapper script. The wrapper script then allows you to do any kind of checking necessary to restrict viewing of the video. This can include: - checking that the user is logged in - checking that the user paid during current session - checking that the user has email address [EMAIL PROTECTED] - etc If the check allows viewing of the flash, then read the content of the flash object in PHP and flush to browser along with appropriate flash content headers. Cheers, Rob. -- ... SwarmBuy.com - http://www.swarmbuy.com Leveraging the buying power of the masses! ... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to secure Flash Video?
On Jan 4, 2008 3:12 PM, Robert Cummings [EMAIL PROTECTED] wrote: It's simple, the URL should NOT directly point to the flash. It should point to a PHP wrapper script. The wrapper script then allows you to do any kind of checking necessary to restrict viewing of the video. This can include: [snip] - checking that the user has email address [EMAIL PROTECTED] Remember, Rob, he said it's not porn. So it doesn't have to be your address that's allowed in at any given time. ;-P -- Daniel P. Brown [Phone Numbers Go Here!] [They're Hidden From View!] If at first you don't succeed, stick to what you know best so that you can make enough money to pay someone else to do it for you. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to secure Flash Video?
On Fri, 2008-01-04 at 15:27 -0500, Daniel Brown wrote: On Jan 4, 2008 3:12 PM, Robert Cummings [EMAIL PROTECTED] wrote: It's simple, the URL should NOT directly point to the flash. It should point to a PHP wrapper script. The wrapper script then allows you to do any kind of checking necessary to restrict viewing of the video. This can include: [snip] - checking that the user has email address [EMAIL PROTECTED] Remember, Rob, he said it's not porn. So it doesn't have to be your address that's allowed in at any given time. ;-P I was hoping he was lying 8) Cheers, Rob. -- ... SwarmBuy.com - http://www.swarmbuy.com Leveraging the buying power of the masses! ... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to secure Flash Video? [Solved?]
Hi gang: Here's my logic, so what's wrong with it? My sole concern here is to protect a Video from being stolen and/or being viewed remotely while allowing approved users to view it. It is a fact that anything you present to a user is theirs. There's no stopping them from downloading a Video if they have permission to do so. In fact, that's exactly what they do when they view a Video -- they can't view it in their browser unless their browser has it. Now, I have investigated several ways to protect videos and prevent caching. Some methods are very complex -- but complexity does not always guarantee security. Complexity is more likely to present problems in its application. Sometimes the simplest method is best. The simplest protection method I can think of can be done by using Flash Video Actionscript in concert with php/mysql. It's a simple matter to have the Video run the following prior to displaying: theXML.load(http://example.com/security.php) That's similar to a javascript onload function. Upon loading the Video, the Video will run the script security.php which in-turn will check to see if an approved user is attempting to view the Video. This done by simply checking a user-id session variable in the script that delivers the Video. If that session variable (user-id ) is empty, then the security.php returns nothing. If that session session is not empty, then the script will check the user-id against the database to see if the user has permission to view the Video. If the user does not have permission, then the security.php script returns nothing. If everything checks, then the security.php script will return a key and the Video will check that key against an internal key -- if a match is made, then the video plays. Now, please note that this will also prohibit the user, even after paying for the Video, from downloading the Video for future plays because the Video will always check for a key. Even if the user downloads the Video and takes the Video to a remote player, the Video will still try to run the security script seeking a key. If the security script is not there, then it fails. Even if the user figures out that the Video requires a key, the still user has no way to determine what that internal key is. So, I think this will work. What say all of you? Where have I screwed up? And, please no one liners that solve the entire mess and make me look like a fool. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to secure Flash Video? [Solved?]
On Jan 4, 2008 9:16 PM, tedd [EMAIL PROTECTED] wrote: Hi gang: Here's my logic, so what's wrong with it? My sole concern here is to protect a Video from being stolen and/or being viewed remotely while allowing approved users to view it. It is a fact that anything you present to a user is theirs. There's no stopping them from downloading a Video if they have permission to do so. In fact, that's exactly what they do when they view a Video -- they can't view it in their browser unless their browser has it. Now, I have investigated several ways to protect videos and prevent caching. Some methods are very complex -- but complexity does not always guarantee security. Complexity is more likely to present problems in its application. Sometimes the simplest method is best. The simplest protection method I can think of can be done by using Flash Video Actionscript in concert with php/mysql. It's a simple matter to have the Video run the following prior to displaying: theXML.load(http://example.com/security.php) That's similar to a javascript onload function. Upon loading the Video, the Video will run the script security.php which in-turn will check to see if an approved user is attempting to view the Video. This done by simply checking a user-id session variable in the script that delivers the Video. If that session variable (user-id ) is empty, then the security.php returns nothing. If that session session is not empty, then the script will check the user-id against the database to see if the user has permission to view the Video. If the user does not have permission, then the security.php script returns nothing. If everything checks, then the security.php script will return a key and the Video will check that key against an internal key -- if a match is made, then the video plays. Now, please note that this will also prohibit the user, even after paying for the Video, from downloading the Video for future plays because the Video will always check for a key. Even if the user downloads the Video and takes the Video to a remote player, the Video will still try to run the security script seeking a key. If the security script is not there, then it fails. Even if the user figures out that the Video requires a key, the still user has no way to determine what that internal key is. So, I think this will work. What say all of you? Where have I screwed up? And, please no one liners that solve the entire mess and make me look like a fool. Cheers, tedd I'm not sure if you mean FLV's or SWF's. If you mean FLV's loaded from SWF's, the browser can cache the FLV, and the user can later retrieve it. If you mean SWF's, there are extractors out there. In other words, it's not really possible to completely secure these videos, but this is a fairly good solution, as I see it. -- -Casey -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php