This question already has answers here:
How can I prevent/make it hard to download my flash video?
(9 answers)
Closed 9 years ago.
i want to know how can we prevent others to download the videos in my site.
My site has the option of video uploading (in flv or mp4 format. Admin will upload them) and users can view the course videos online (using flowplayer) once they pay some amount.
But what i observed is that the users can download those videos using tools like Freecorder.
I dont want this to happen, because videos have restrictive access and only for a particular period of time (till the user's membership expires).
So how can i prevent the user from being able to download the videos in my site ?
The fundamental law of video distribution is very similar to the fundamental law of software licensing. It goes something like this: Once you put your video on a screen you don't control, you don't have control over distribution of your video any more.
Even if you could stop them from downloading the file, you can't stop them from hooking a VCR to their video card and re-recording it. Even if you use some protected-path technology to stop that, you can't stop them from pointing a camcorder at the screen.
If you want to keep your videos under wraps, you need to show them in a theater under your control on screens you control, and have someone watching the audience for video recording equipment. Nothing else is going to have more than a very slight slowing effect on re-distribution.
This post is old but what I have done to prevent some types of copying is store the movies in a database and add an expiration and a username and password to the page that send them to the screen.
This will not prevent direct recording of the screen, but it is one more step to help.
Streaming Video Files
If you want any real level of protection you need to use a true streaming server. The big advantage here is that the file is not actually downloaded to the user's computer—it is seen only as a real-time stream and there is no file left on the user's hard drive.
Streaming video provides fairly good protection. It will stop most casual thieves dead—only those with determination and a bit of technical understanding will continue to try and steal the video.
The most common method of stealing streaming video is to use a video stream capture tool. This is an application that captures a video stream and saves it as a file. This type of theft is extremely difficult to guard against. Although there may be some defences, e.g. denying access to known capture utilities, this level of defence starts to become a losing battle. A thief who is dedicated enough to use a stream capture utility is probably dedicated enough to do whatever it takes to get the video.
Even if the thief can't capture the stream directly, they can always use a screen capture utility. This is an application that captures whatever is displayed on screen. They can define a certain area or window (i.e. the video screen), play the video and tell the utility to capture it. There really isn't much you can do to fight this, but even if you could...
Anyone can set up a video camera and point it at a computer monitor. Anyone with a few clues can remove flicker and get a reasonable result. There is absolutely no way you can stop them from doing this. Although it's a very uncommon way to steal video, it's a good illustration of the fact that thieves always have one more option than the webmaster.
Related
In Imgur, you can input an image URL and a few seconds later, there's a thumbnail of the image. Or in Bing Search, you can (or used to) be able to view a thumbnail of the website in the search results before visiting it.
I would love to implement something similar for my website, but I can't wrap my head around on how it is done. Moreover, are there not security concerns? I'd imagine the servers have to at least download the website, render it and take a screenshot. What if it's a malicious website, and you download something malicious on your server?
A headless Web browser engine like PhantomJS can be used for this. See example on their wiki. Yes, it would be prudent to run this in some sort of a sandbox, feeding a queue of URLs into it, then taking the generated thumbnails from the file system.
While I don't know the internal workings of any of the aforementioned services, I'd guess that they download/create a local copy of the images and generate a thumbnail from that.
Imgur, as an image hosting service, definitely needs a copy of the image prior to being able to generate thumbnails or anything else from it. The image may be stored locally or just in memory, but either way, it must be downloaded.
The search engines displaying screenshots of the sites likely have services that periodically take a screenshot of the viewable area when the content is getting indexed, and then serve those screenshots (or derivatives) along with the search results. Taking a screenshot really isn't dangerous, so there's nothing to worry about there, and whatever tools are used to load/parse/index the websites will obviously be written with security considerations in mind.
Of course, there are security concerns about the data you're downloading, too; the images can easily contain executable code (such as PHP) in their EXIF data, so you need to be careful about what you do with the images and how.
I am building a site similar to thefuture.fm. DJs are able to upload MP3 files and set if the file only can be streamed or streamed and downloaded.
Visitors to the site don't have to login to listen to music. They should be able to stream/download these MP3 songs depending on the users settings.
I am using the jPlayer to play songs. I have searched all over the web but can't find any solution. Does jPlayer have any facility like prevent downloading of MP3 files? Or is there any way I can prevent this?
It's actually impossible to prevent downloading. You can make it harder for somebody, but he still needs to download all the data to hear the song. So even if you use some encryption to send the data to a flash player you write yourself, the player will have to decrypt it and play the audio. And since you can decompile flash it wouldn't be to hard to find out the algorithm. He could also just record the music again when playing it (similar to the first DVD decrypt tools, who just took a screenshot 30 times/sec to pass million dollar security measurements)
So the goal is to make it harder, not impossible.
Personally I would go for temporary available links in combination with a cookie, so I can still use jplayer and don't have to reinvent the wheel. Also use some obfuscating to make it harder to read the URL.
When somebody request the main URL (where you show your player) generate a unique key and save it in a cookie. The unique key should link to the IP address and request time stored in session.
Now create a link to the music file like playfile.php?file=music.mp3 or whatever. Just make sure that PHP will handle the file request. If you obfuscate this link it will be a little harder to find it.
In playfile.php check for the unique code in the cookie and check if it matches the IP address in session and the request time is less then EG 15 seconds (any longer and music won't play anyway with slow internet connection). If it is, stream the file. If it's not, block it.
Now if somebody would write a program/script to download the music, he can. But if somebody has the knowledge and time to do that, nothing will stop him from downloading it.
This will prevent any normal user from downloading it.
Preventing hotlinking is a bit easier, since in general you'll have a referrer string to check. If this is present then you'll know not to serve the content. Here is a code example.
Preventing downloading on the other hand is much harder - the best approach would be for a Flash application to decrypt data in realtime - if you use a simple encryption scheme, most client hardware should be fast enough. I couldn't find much for this on the web, so I wonder whether you'd have to do some Flash/Flex development yourself: download MP3 data in chunks, apply decryption routines from a library, and send them to some sort of MP3 decoding buffer. I suspect the password would be hard-coded.
Addendum: I've found that in later versions of Flash you can play dynamically generated sounds from a buffer (see here). So, if you're willing to get stuck into some Flash/Flex development, a solution is in sight. I couldn't find anything that accesses low-level MP3 routines, but don't forget that files don't have to be MP3 as transmitted from your server - convert them to whatever your app needs.
What you are searching for can't be achieved with JavaScript solution. If you want javascript to play something, it has to download it and in order to download it, JavaScript needs a URL.
Most common way to tackle this problem is using Adobe Flash and making a player in it. You can make your player stream content (mp3 in your case) without explicitly exposing actual data location to user.
Put the file(s) in a location that isn't accessible from the browser and use PHP to stream them out as a series of chunks using HTTP/1.1 206 Partial Content. Then use a method like this to edit the context menu to add/remove the 'save as'.
Use a session var to eliminate direct linking.
Actually, there is a player that DOES scramble the url and it works pretty good. We used it because of this excellent feature. It is not impossible to download/save the audio, but at least it is not a matter of just opening the inspector and copying the url. It also prevents from sharing to outside sources by URL. So, contrary to the above, it IS possible and it IS available :)
Check the plugin out here:
https://wordpress.org/plugins/mp3-jplayer/
I'm currently developing a game using PHP and MySql.
I'd like to allow users to be able to show images using a BBCode parser (NBBC) but i've been made aware of a potential security problem.
Allow me to explain:
The user enters a URL into a textarea box using code such as [img]http://example.com/image1.png[/img]
The user can then edit image1.png on the external server into a server side script that stores the user information (ip ect) and so forth.
User uses information to do some potentially nasty stuff!
My question is, how do we prevent this from happening and protect the users details when detailing with external sources?
The obvious answer is to only allow uploads to your site, but in this case, that really doesn't seem too practical.
Appreciate any help!
Actually you can by changing
[img]http://example.com/image1.png[/img]
into something like:
<img src="http://yourserver/proxy.blah?url=example.com/image1.png" />
So that your proxy would load the image instead of the user.
You can't because to your script it will look like a genuine image and there is no way of detecting anything different.
Any body can use .htaccess/ForceType to change the execution type of any file, grab user information and serve up an image in response.
I wrote a simple script for rotating images in a users forum signature many moons ago and it demonstrates this process: http://blog.simonholywell.com/post/374221718/flickering-images
You don't.
The only information the malicious user will be able to get is user's IP address and referrer URI, so you only need to make sure that nothing valuable is transmitted by it, (like session id, which you can bind to IP address or transfer via cookies).
It wouldn't even be necessary to turn that image into a script. The remote server's access log would capture the image request as it would any other request to a server. IP, browser UA, referer, etc...
If you allow external resources in user-provided data, you have no control whatsoever over how those resources are processed. If this image was for an Avatar (say), then nothing says the remote user can't make their avatar a puppy initially, then change it something nasty later on after the initial puppy picture's been approved.
Nothing says that the user couldn't point the avatar URL to a server they don't own themselves, in which case that other server's operator would get annoyed at the bandwidth theft and make the avatar picture into a Goatse-type image to get back at the bandwidth thief.
In short, if you allow external resources, you lose control. Keep everything in house where you can keep tabs on it.
Despite the responses saying this isn't a problem, it is. There are several ways to create a malicious image file that executes on the user's PC. You also have no control over whether the user's browser will honor the MIME type returned by the 3rd party server so it could return an executable file instead of an image, even though you may only allow links to files with image extensions (.png, .gif, .jpg, etc.). That interaction is entirely between your user and the 3rd party server but because it's embedded in your page the user experience will be that any infection originated from your site.
But even assuming the remote server only sends an image, you don't know if the image is even safe. See:
gifar image vulnerability
Infected .png files
Malicious code hides in jpgs
Uploading the images to your site is no walk in the park either, as discussed here.
User uses information to do some potentially nasty stuff!
You're being overly paranoid here. If a user is vulnerable just by having their IP known, their machine is already infested with a hundred different pieces of malware.
I want the videos that I play on my site should only be streamed but should not be accessible to download softwares. Can videos be protected from downloading so that no one should be able to record them
Thanks
Can videos be protected from downloading so that no one should be able to record them?
The short answer is: No.
Longer answer: It is impossible to protect anything from downloading unless you don't want anyone to watch it. Remember: if they can see it, they can record it.
Sure, just don't serve them up. By definition, for someone to view an online video, they have to download it. There's absolutely no way around it, short of forcing them to use a remote desktop type viewer. Once the bytes leave your server, you have absolutely zero control over what happens to them.
The answer to your question is no.
Why? No matter what sort of protection you put on the actual file, it needs to be transferred to the client computer somehow. And if you put some kind of DRM on the file so that only the person who's authorized to download the file can view it, it still needs to be viewed. This means that an enterprising person can intercept the actual values being displayed somehow and store them elsewhere. It could be as labour-intensive as getting a screenshot of every frame, then stitching that together to form a movie.
If you don't want people to download your videos, don't put them on public servers.
Being new to streaming videos:
I don't know how to properly ask the question
I don't know of the proper place to ask the question
I'll use YouTube as the base example
Let's say I render a video in high quality and I want to play it on my website with the embedded YouTube player (or jw). The video is hosted from my server, not YouTube.
Is there a way to force one set of users to see low quality vid and one set of users to have the option of seeing it in high quality (b/c of connection speeds they may not want hq)? I'm hoping to run a forum and the quality of the video would be a benefit to contributors or registered members.
I'd like to know how to do this server-side. I know the YouTube player has a quality param, but I'd like to be able to force the quality. If a scripting language is needed, I'm using Perl, but I'm open to a PHP alternative.
One other question that ties into this: if you have a video in hq, is it possible to play that in low quality, or would I have to render different versions of the same vid?
Thank you in advance.
Well, if you are hosting it yourself, the youtube player seems to be out of question, doesn't it?
To achieve what you are planning, the player plugin you are using has to support multiple qualities. Now, when generating the player embedding code in php, check if the current visitor is a user, if yes, supply the player with all video qualities, if not, just with the lowest one.
To display different qualities, you'd have to seperately render the videos.