I am building a site similar to thefuture.fm. DJs are able to upload MP3 files and set if the file only can be streamed or streamed and downloaded.
Visitors to the site don't have to login to listen to music. They should be able to stream/download these MP3 songs depending on the users settings.
I am using the jPlayer to play songs. I have searched all over the web but can't find any solution. Does jPlayer have any facility like prevent downloading of MP3 files? Or is there any way I can prevent this?
It's actually impossible to prevent downloading. You can make it harder for somebody, but he still needs to download all the data to hear the song. So even if you use some encryption to send the data to a flash player you write yourself, the player will have to decrypt it and play the audio. And since you can decompile flash it wouldn't be to hard to find out the algorithm. He could also just record the music again when playing it (similar to the first DVD decrypt tools, who just took a screenshot 30 times/sec to pass million dollar security measurements)
So the goal is to make it harder, not impossible.
Personally I would go for temporary available links in combination with a cookie, so I can still use jplayer and don't have to reinvent the wheel. Also use some obfuscating to make it harder to read the URL.
When somebody request the main URL (where you show your player) generate a unique key and save it in a cookie. The unique key should link to the IP address and request time stored in session.
Now create a link to the music file like playfile.php?file=music.mp3 or whatever. Just make sure that PHP will handle the file request. If you obfuscate this link it will be a little harder to find it.
In playfile.php check for the unique code in the cookie and check if it matches the IP address in session and the request time is less then EG 15 seconds (any longer and music won't play anyway with slow internet connection). If it is, stream the file. If it's not, block it.
Now if somebody would write a program/script to download the music, he can. But if somebody has the knowledge and time to do that, nothing will stop him from downloading it.
This will prevent any normal user from downloading it.
Preventing hotlinking is a bit easier, since in general you'll have a referrer string to check. If this is present then you'll know not to serve the content. Here is a code example.
Preventing downloading on the other hand is much harder - the best approach would be for a Flash application to decrypt data in realtime - if you use a simple encryption scheme, most client hardware should be fast enough. I couldn't find much for this on the web, so I wonder whether you'd have to do some Flash/Flex development yourself: download MP3 data in chunks, apply decryption routines from a library, and send them to some sort of MP3 decoding buffer. I suspect the password would be hard-coded.
Addendum: I've found that in later versions of Flash you can play dynamically generated sounds from a buffer (see here). So, if you're willing to get stuck into some Flash/Flex development, a solution is in sight. I couldn't find anything that accesses low-level MP3 routines, but don't forget that files don't have to be MP3 as transmitted from your server - convert them to whatever your app needs.
What you are searching for can't be achieved with JavaScript solution. If you want javascript to play something, it has to download it and in order to download it, JavaScript needs a URL.
Most common way to tackle this problem is using Adobe Flash and making a player in it. You can make your player stream content (mp3 in your case) without explicitly exposing actual data location to user.
Put the file(s) in a location that isn't accessible from the browser and use PHP to stream them out as a series of chunks using HTTP/1.1 206 Partial Content. Then use a method like this to edit the context menu to add/remove the 'save as'.
Use a session var to eliminate direct linking.
Actually, there is a player that DOES scramble the url and it works pretty good. We used it because of this excellent feature. It is not impossible to download/save the audio, but at least it is not a matter of just opening the inspector and copying the url. It also prevents from sharing to outside sources by URL. So, contrary to the above, it IS possible and it IS available :)
Check the plugin out here:
https://wordpress.org/plugins/mp3-jplayer/
Related
In Imgur, you can input an image URL and a few seconds later, there's a thumbnail of the image. Or in Bing Search, you can (or used to) be able to view a thumbnail of the website in the search results before visiting it.
I would love to implement something similar for my website, but I can't wrap my head around on how it is done. Moreover, are there not security concerns? I'd imagine the servers have to at least download the website, render it and take a screenshot. What if it's a malicious website, and you download something malicious on your server?
A headless Web browser engine like PhantomJS can be used for this. See example on their wiki. Yes, it would be prudent to run this in some sort of a sandbox, feeding a queue of URLs into it, then taking the generated thumbnails from the file system.
While I don't know the internal workings of any of the aforementioned services, I'd guess that they download/create a local copy of the images and generate a thumbnail from that.
Imgur, as an image hosting service, definitely needs a copy of the image prior to being able to generate thumbnails or anything else from it. The image may be stored locally or just in memory, but either way, it must be downloaded.
The search engines displaying screenshots of the sites likely have services that periodically take a screenshot of the viewable area when the content is getting indexed, and then serve those screenshots (or derivatives) along with the search results. Taking a screenshot really isn't dangerous, so there's nothing to worry about there, and whatever tools are used to load/parse/index the websites will obviously be written with security considerations in mind.
Of course, there are security concerns about the data you're downloading, too; the images can easily contain executable code (such as PHP) in their EXIF data, so you need to be careful about what you do with the images and how.
This question already has answers here:
How can I prevent/make it hard to download my flash video?
(9 answers)
Closed 9 years ago.
i want to know how can we prevent others to download the videos in my site.
My site has the option of video uploading (in flv or mp4 format. Admin will upload them) and users can view the course videos online (using flowplayer) once they pay some amount.
But what i observed is that the users can download those videos using tools like Freecorder.
I dont want this to happen, because videos have restrictive access and only for a particular period of time (till the user's membership expires).
So how can i prevent the user from being able to download the videos in my site ?
The fundamental law of video distribution is very similar to the fundamental law of software licensing. It goes something like this: Once you put your video on a screen you don't control, you don't have control over distribution of your video any more.
Even if you could stop them from downloading the file, you can't stop them from hooking a VCR to their video card and re-recording it. Even if you use some protected-path technology to stop that, you can't stop them from pointing a camcorder at the screen.
If you want to keep your videos under wraps, you need to show them in a theater under your control on screens you control, and have someone watching the audience for video recording equipment. Nothing else is going to have more than a very slight slowing effect on re-distribution.
This post is old but what I have done to prevent some types of copying is store the movies in a database and add an expiration and a username and password to the page that send them to the screen.
This will not prevent direct recording of the screen, but it is one more step to help.
Streaming Video Files
If you want any real level of protection you need to use a true streaming server. The big advantage here is that the file is not actually downloaded to the user's computer—it is seen only as a real-time stream and there is no file left on the user's hard drive.
Streaming video provides fairly good protection. It will stop most casual thieves dead—only those with determination and a bit of technical understanding will continue to try and steal the video.
The most common method of stealing streaming video is to use a video stream capture tool. This is an application that captures a video stream and saves it as a file. This type of theft is extremely difficult to guard against. Although there may be some defences, e.g. denying access to known capture utilities, this level of defence starts to become a losing battle. A thief who is dedicated enough to use a stream capture utility is probably dedicated enough to do whatever it takes to get the video.
Even if the thief can't capture the stream directly, they can always use a screen capture utility. This is an application that captures whatever is displayed on screen. They can define a certain area or window (i.e. the video screen), play the video and tell the utility to capture it. There really isn't much you can do to fight this, but even if you could...
Anyone can set up a video camera and point it at a computer monitor. Anyone with a few clues can remove flicker and get a reasonable result. There is absolutely no way you can stop them from doing this. Although it's a very uncommon way to steal video, it's a good illustration of the fact that thieves always have one more option than the webmaster.
I want the videos that I play on my site should only be streamed but should not be accessible to download softwares. Can videos be protected from downloading so that no one should be able to record them
Thanks
Can videos be protected from downloading so that no one should be able to record them?
The short answer is: No.
Longer answer: It is impossible to protect anything from downloading unless you don't want anyone to watch it. Remember: if they can see it, they can record it.
Sure, just don't serve them up. By definition, for someone to view an online video, they have to download it. There's absolutely no way around it, short of forcing them to use a remote desktop type viewer. Once the bytes leave your server, you have absolutely zero control over what happens to them.
The answer to your question is no.
Why? No matter what sort of protection you put on the actual file, it needs to be transferred to the client computer somehow. And if you put some kind of DRM on the file so that only the person who's authorized to download the file can view it, it still needs to be viewed. This means that an enterprising person can intercept the actual values being displayed somehow and store them elsewhere. It could be as labour-intensive as getting a screenshot of every frame, then stitching that together to form a movie.
If you don't want people to download your videos, don't put them on public servers.
Is there anyway to hide .swf path showing up from webpage?
you can use a php script something like getswf.php?name=flash.swf in your flash tags. Then create getswf.php script to respond with output of flash.swf file, and keep flash.swf file in a directory outside of public directory.
There may be ways to make it difficult to view. However, nothing you do can stop an intelligent adversary from using a tool like Fiddler to monitor web traffic and undo all your obfuscation.
I think this is a fairly pointless exercise. Any resource that gets sent to a browser, be it an image, sound, flash movie, even flv files loaded by the YouTube player, can all be saved to disk fairly easily.
As Justin mentions, Fiddler can achieve this easily.
As others answered it there are ways to do it using your script. If you are looking for a paid option check this out Media Vault.
Hiding the URL to the swf file might be quite a challenge but there are other things you can do if you're wanting to more closely protect the video/data being displayed by the swf.
I'll run through a couple of ideas in the order I think them most obfuscated with the least first. Bare in mind that most of these techniques merely make it harder to get to the information/video rather than making it impossible to obtain.
The main idea most sites tend to follow is that of having the swf as a player and the content in another file somewhere else, usually an flv or mp4 etc.
Add flv location through Javascript
This technique is as basic as it sounds. You have your swf player on the page and pass a new variable too it (such as 'file') with the location to the flv file using Javascript. If you're already loading your content with some kind of JS flash module then all the easier to begin implimenting.
Obfuscating flv location through XML
Another techniqe I've seen used quite recently is that of having an XML document as a paremeter to the swf player and then the flash player itself resolves the URL of the flv from a node in the XML. It's easy to get to the flv URL if you want to but it does make it that little bit harder.
Token access
This technique can be used in conjunction with any of the above two. You basically ensure that your flv files can only be accessed with the use of a special token otherwise the page returns a HTTP error. The token would be understood by the flash player and the server and upon the player making a request for the flv, a token must be included (usuallu the token itself is obfuscated in some way that it cannot be easily mimmicked through a simple GET request).
Domain access
Very similar to the above however in this case, the flv file will only be loaded when the requesting URL is a specific site. All other requests will be denied (such as directly hitting the flv location in your browser.
As stated above, none of these methods make it impossible to get hold of your flash material. If it's on the web (or any network for that matter), it's possibly a target. You'll usually find for most things that making it harder to obtain will deter a lot of those who would otherwise have been privy to downloading your content.
Completely hiding the URL to the swf
If your only criteria is to hide the URL then hiding it behind a URL rewrite is the best option I can think of.
Your swf might be at /location/flash/player.swf?file=summer.flv and then you could do a URL rewrite to something like /vacations/summer2011/.
This way the URL to the swf is completely hidden away and this should satisfy your desire to hide the swf path.
The answer is NO.
You may not want to believe it. but it is a fact. you can do all you like to obfuscate it. but the browser needs to find it. if the browser can find it so can anyone else.
A server side script that acts as a loader will hide the real path to the file, but to what purpose. the end result is the file is still available.
If you want a simple answer, so simple people can't find it then the people here have given you some suggestions. obfuscation is the best you can hope to achieve.
Alternately only allow approved users access to the file. that way they need to log in to get access to it. but if you want it available publicly then its well, public!
DC
I know this question is silly.
But as per our intelligent Client request, I am not able to answer his question. Any one help for this.
We are building a online tutoring site. where it contains pdf, .ppt, .doc formats files are uploaded for reading as course materials. His (Client) request is that user can read all the contents but they must not download the materials and use this.
That is all the documents must be opened in their browsers.
Is it possible? Any other ideas?
Any other ideas?
Explain to your client that the only way for a document to appear on a user's computer screen is for the document to exist on that user's computer.
In other words, viewing a document involves downloading it. Even supposing the software on the user's computer somehow makes it impossible for the user to directly manipulate an electronic copy of the material, the user can take out a digital camera and take a picture of the screen.
There are ways to make it difficult for the user to save a copy of the file. However, it's likely that this will do more harm (frustrating users) than good (preventing theft).
Some users may want to peruse the material at times when they do not have an internet connection, or may want to copy it onto their mobile device (for instance), but accessing the internet on their mobile device is expensive so they would like to do the download on their computer.
If you send the data to the client the client has effectively downloaded it. You can make this difficult, but not impossible.
The only sure way to prevent downloading is to prevent viewing.
If this is a copyright problem it should be solved with legalese, not software.
Here are some guide-lines you may consider:
Don't put direct link of files such as:
Download
Instead, try to generate your pdf dynamically or put a another encrypted medium for
downloading eg:
Download
2: Don't allow directory browsing, use htaccess file with following commands:
Deny from ALL
3: Not sure, but you may possibly allow file opening this way too:
$filename="/path/to/file.jpg"; //<-- specify the image file
if(file_exists($filename)){
header('Content-Length: '.filesize($filename])); //<-- sends filesize header
header('Content-Type: image/jpg'); //<-- send mime-type header
header('Content-Disposition: inline; filename="'.$filename.'";'); //<-- sends filename header
readfile($filename); //<--reads and outputs the file onto the output buffer
exit; //and exit
}
Note: above is just an example of image not pdf but you can modify it for your needs.
An online site does not necessarily mean it is a web site. You could write a custom client that accesses the data and displays it.
The data would need to be encrypted between the client and the server. It probably should not be sent 'in bulk' either.
The effort associated with developing that is prohibitive.
You could license the software that allows users to read books, page by page, that is part of the Safari Books Online web site.
As best I can tell, they take the pages that they are going to display and turn them into small images. These images look as if they are sent in a random order, and assembled by the browser via javascript.
These tactics won't stop a determined person from getting your clients content... but the effort is unlikely to be worth it.
You could put the docs into Google docs and embed the docs viewer into your site. Of course, there's no stopping people from taking screenshots, copy/pasting text, downloading HTML, etc.
What do you mean by "read" but not "download"?? Do you know that even if you disable cache (which by itself is a bad idea) won't restrict an eaaaasy right-click>view source, "save target as", etc.?
I mean, the best you can have is a flash reader that is harder to save the content from, and that means disabling selection and copying, but anyway, it doesn't forbid anything.
The only way to forbid download is to return HTTP 403 :)