How to protect streaming videos from download - php

I want the videos that I play on my site should only be streamed but should not be accessible to download softwares. Can videos be protected from downloading so that no one should be able to record them
Thanks

Can videos be protected from downloading so that no one should be able to record them?
The short answer is: No.
Longer answer: It is impossible to protect anything from downloading unless you don't want anyone to watch it. Remember: if they can see it, they can record it.

Sure, just don't serve them up. By definition, for someone to view an online video, they have to download it. There's absolutely no way around it, short of forcing them to use a remote desktop type viewer. Once the bytes leave your server, you have absolutely zero control over what happens to them.

The answer to your question is no.
Why? No matter what sort of protection you put on the actual file, it needs to be transferred to the client computer somehow. And if you put some kind of DRM on the file so that only the person who's authorized to download the file can view it, it still needs to be viewed. This means that an enterprising person can intercept the actual values being displayed somehow and store them elsewhere. It could be as labour-intensive as getting a screenshot of every frame, then stitching that together to form a movie.
If you don't want people to download your videos, don't put them on public servers.

Related

How do sites like Bing Search, Imgur, and Reddit generate a thumbnail of the website from a URL?

In Imgur, you can input an image URL and a few seconds later, there's a thumbnail of the image. Or in Bing Search, you can (or used to) be able to view a thumbnail of the website in the search results before visiting it.
I would love to implement something similar for my website, but I can't wrap my head around on how it is done. Moreover, are there not security concerns? I'd imagine the servers have to at least download the website, render it and take a screenshot. What if it's a malicious website, and you download something malicious on your server?
A headless Web browser engine like PhantomJS can be used for this. See example on their wiki. Yes, it would be prudent to run this in some sort of a sandbox, feeding a queue of URLs into it, then taking the generated thumbnails from the file system.
While I don't know the internal workings of any of the aforementioned services, I'd guess that they download/create a local copy of the images and generate a thumbnail from that.
Imgur, as an image hosting service, definitely needs a copy of the image prior to being able to generate thumbnails or anything else from it. The image may be stored locally or just in memory, but either way, it must be downloaded.
The search engines displaying screenshots of the sites likely have services that periodically take a screenshot of the viewable area when the content is getting indexed, and then serve those screenshots (or derivatives) along with the search results. Taking a screenshot really isn't dangerous, so there's nothing to worry about there, and whatever tools are used to load/parse/index the websites will obviously be written with security considerations in mind.
Of course, there are security concerns about the data you're downloading, too; the images can easily contain executable code (such as PHP) in their EXIF data, so you need to be careful about what you do with the images and how.

How can I encrypt or protect a video file? [duplicate]

This question already has answers here:
How can I prevent/make it hard to download my flash video?
(9 answers)
Closed 9 years ago.
i want to know how can we prevent others to download the videos in my site.
My site has the option of video uploading (in flv or mp4 format. Admin will upload them) and users can view the course videos online (using flowplayer) once they pay some amount.
But what i observed is that the users can download those videos using tools like Freecorder.
I dont want this to happen, because videos have restrictive access and only for a particular period of time (till the user's membership expires).
So how can i prevent the user from being able to download the videos in my site ?
The fundamental law of video distribution is very similar to the fundamental law of software licensing. It goes something like this: Once you put your video on a screen you don't control, you don't have control over distribution of your video any more.
Even if you could stop them from downloading the file, you can't stop them from hooking a VCR to their video card and re-recording it. Even if you use some protected-path technology to stop that, you can't stop them from pointing a camcorder at the screen.
If you want to keep your videos under wraps, you need to show them in a theater under your control on screens you control, and have someone watching the audience for video recording equipment. Nothing else is going to have more than a very slight slowing effect on re-distribution.
This post is old but what I have done to prevent some types of copying is store the movies in a database and add an expiration and a username and password to the page that send them to the screen.
This will not prevent direct recording of the screen, but it is one more step to help.
Streaming Video Files
If you want any real level of protection you need to use a true streaming server. The big advantage here is that the file is not actually downloaded to the user's computer—it is seen only as a real-time stream and there is no file left on the user's hard drive.
Streaming video provides fairly good protection. It will stop most casual thieves dead—only those with determination and a bit of technical understanding will continue to try and steal the video.
The most common method of stealing streaming video is to use a video stream capture tool. This is an application that captures a video stream and saves it as a file. This type of theft is extremely difficult to guard against. Although there may be some defences, e.g. denying access to known capture utilities, this level of defence starts to become a losing battle. A thief who is dedicated enough to use a stream capture utility is probably dedicated enough to do whatever it takes to get the video.
Even if the thief can't capture the stream directly, they can always use a screen capture utility. This is an application that captures whatever is displayed on screen. They can define a certain area or window (i.e. the video screen), play the video and tell the utility to capture it. There really isn't much you can do to fight this, but even if you could...
Anyone can set up a video camera and point it at a computer monitor. Anyone with a few clues can remove flicker and get a reasonable result. There is absolutely no way you can stop them from doing this. Although it's a very uncommon way to steal video, it's a good illustration of the fact that thieves always have one more option than the webmaster.

jPlayer Stream MP3 but prevent from downloading and hotlinking

I am building a site similar to thefuture.fm. DJs are able to upload MP3 files and set if the file only can be streamed or streamed and downloaded.
Visitors to the site don't have to login to listen to music. They should be able to stream/download these MP3 songs depending on the users settings.
I am using the jPlayer to play songs. I have searched all over the web but can't find any solution. Does jPlayer have any facility like prevent downloading of MP3 files? Or is there any way I can prevent this?
It's actually impossible to prevent downloading. You can make it harder for somebody, but he still needs to download all the data to hear the song. So even if you use some encryption to send the data to a flash player you write yourself, the player will have to decrypt it and play the audio. And since you can decompile flash it wouldn't be to hard to find out the algorithm. He could also just record the music again when playing it (similar to the first DVD decrypt tools, who just took a screenshot 30 times/sec to pass million dollar security measurements)
So the goal is to make it harder, not impossible.
Personally I would go for temporary available links in combination with a cookie, so I can still use jplayer and don't have to reinvent the wheel. Also use some obfuscating to make it harder to read the URL.
When somebody request the main URL (where you show your player) generate a unique key and save it in a cookie. The unique key should link to the IP address and request time stored in session.
Now create a link to the music file like playfile.php?file=music.mp3 or whatever. Just make sure that PHP will handle the file request. If you obfuscate this link it will be a little harder to find it.
In playfile.php check for the unique code in the cookie and check if it matches the IP address in session and the request time is less then EG 15 seconds (any longer and music won't play anyway with slow internet connection). If it is, stream the file. If it's not, block it.
Now if somebody would write a program/script to download the music, he can. But if somebody has the knowledge and time to do that, nothing will stop him from downloading it.
This will prevent any normal user from downloading it.
Preventing hotlinking is a bit easier, since in general you'll have a referrer string to check. If this is present then you'll know not to serve the content. Here is a code example.
Preventing downloading on the other hand is much harder - the best approach would be for a Flash application to decrypt data in realtime - if you use a simple encryption scheme, most client hardware should be fast enough. I couldn't find much for this on the web, so I wonder whether you'd have to do some Flash/Flex development yourself: download MP3 data in chunks, apply decryption routines from a library, and send them to some sort of MP3 decoding buffer. I suspect the password would be hard-coded.
Addendum: I've found that in later versions of Flash you can play dynamically generated sounds from a buffer (see here). So, if you're willing to get stuck into some Flash/Flex development, a solution is in sight. I couldn't find anything that accesses low-level MP3 routines, but don't forget that files don't have to be MP3 as transmitted from your server - convert them to whatever your app needs.
What you are searching for can't be achieved with JavaScript solution. If you want javascript to play something, it has to download it and in order to download it, JavaScript needs a URL.
Most common way to tackle this problem is using Adobe Flash and making a player in it. You can make your player stream content (mp3 in your case) without explicitly exposing actual data location to user.
Put the file(s) in a location that isn't accessible from the browser and use PHP to stream them out as a series of chunks using HTTP/1.1 206 Partial Content. Then use a method like this to edit the context menu to add/remove the 'save as'.
Use a session var to eliminate direct linking.
Actually, there is a player that DOES scramble the url and it works pretty good. We used it because of this excellent feature. It is not impossible to download/save the audio, but at least it is not a matter of just opening the inspector and copying the url. It also prevents from sharing to outside sources by URL. So, contrary to the above, it IS possible and it IS available :)
Check the plugin out here:
https://wordpress.org/plugins/mp3-jplayer/

how to make a user restrict to download?

I know this question is silly.
But as per our intelligent Client request, I am not able to answer his question. Any one help for this.
We are building a online tutoring site. where it contains pdf, .ppt, .doc formats files are uploaded for reading as course materials. His (Client) request is that user can read all the contents but they must not download the materials and use this.
That is all the documents must be opened in their browsers.
Is it possible? Any other ideas?
Any other ideas?
Explain to your client that the only way for a document to appear on a user's computer screen is for the document to exist on that user's computer.
In other words, viewing a document involves downloading it. Even supposing the software on the user's computer somehow makes it impossible for the user to directly manipulate an electronic copy of the material, the user can take out a digital camera and take a picture of the screen.
There are ways to make it difficult for the user to save a copy of the file. However, it's likely that this will do more harm (frustrating users) than good (preventing theft).
Some users may want to peruse the material at times when they do not have an internet connection, or may want to copy it onto their mobile device (for instance), but accessing the internet on their mobile device is expensive so they would like to do the download on their computer.
If you send the data to the client the client has effectively downloaded it. You can make this difficult, but not impossible.
The only sure way to prevent downloading is to prevent viewing.
If this is a copyright problem it should be solved with legalese, not software.
Here are some guide-lines you may consider:
Don't put direct link of files such as:
Download
Instead, try to generate your pdf dynamically or put a another encrypted medium for
downloading eg:
Download
2: Don't allow directory browsing, use htaccess file with following commands:
Deny from ALL
3: Not sure, but you may possibly allow file opening this way too:
$filename="/path/to/file.jpg"; //<-- specify the image file
if(file_exists($filename)){
header('Content-Length: '.filesize($filename])); //<-- sends filesize header
header('Content-Type: image/jpg'); //<-- send mime-type header
header('Content-Disposition: inline; filename="'.$filename.'";'); //<-- sends filename header
readfile($filename); //<--reads and outputs the file onto the output buffer
exit; //and exit
}
Note: above is just an example of image not pdf but you can modify it for your needs.
An online site does not necessarily mean it is a web site. You could write a custom client that accesses the data and displays it.
The data would need to be encrypted between the client and the server. It probably should not be sent 'in bulk' either.
The effort associated with developing that is prohibitive.
You could license the software that allows users to read books, page by page, that is part of the Safari Books Online web site.
As best I can tell, they take the pages that they are going to display and turn them into small images. These images look as if they are sent in a random order, and assembled by the browser via javascript.
These tactics won't stop a determined person from getting your clients content... but the effort is unlikely to be worth it.
You could put the docs into Google docs and embed the docs viewer into your site. Of course, there's no stopping people from taking screenshots, copy/pasting text, downloading HTML, etc.
What do you mean by "read" but not "download"?? Do you know that even if you disable cache (which by itself is a bad idea) won't restrict an eaaaasy right-click>view source, "save target as", etc.?
I mean, the best you can have is a flash reader that is harder to save the content from, and that means disabling selection and copying, but anyway, it doesn't forbid anything.
The only way to forbid download is to return HTTP 403 :)

How to serve .flv files using PHP?

I'm building a streaming video site. The idea is that the customers should pay for a membership, login to the system, and be able to view the videos. I'm going with FlowPlayer for showing the actual videos.
The problem now is, the videos need to be stored somewhere publically and the url to the .flv files needs to be passed to flowplayer for it to be able to show them. This creates a problem because anyone can do a view source, download the video, and distribute it all across the internet.
I know some people serve images using php by doing an image header() and then they can do something like:
<img src="image.php?userId=1828&img=test.gif" />
The php script validates the user ID and serves up the .gif and the actual url of the gif is never revealed.
Is there anyway to do this with .flv or any other video format also? E.g, the file and user ID passed onto the PHP script, it validates them, and returns the video?
You can set up a directory containing the FLV files on your webserver that can only be accessed by PHP, then in your PHP script you can authenticate the user as usual and simply send a header to the browser telling it to expect an FLV, then echo the raw FLV data:
<?php
// here is where
// you want your
// user authentication
if ($isAuthenticated)
{
header("Content-type: video/flv");
echo file_get_contents($pathToFLV);
}
?>
As Chad Birch discussed, this will only prevent people from linking directly to the video - you can't prevent piracy this way.
The short answer is that no, you're never going to be able to prevent people from downloading your videos if they want to. There are various ways to make it trickier for them to do it, but there's no foolproof method. You're hitting what is basically the entire problem with DRM - you can't show someone your content without giving it to them unencrypted at some point, and if they can view it, they can rip it.
Since your flv player is a flash application, it will always be possible to download and decompile it. When decompiled the actual url to the flv will be visible. So it won't really make any difference if you are using direct url's to the flv movies or something like you described in your question
<img src="image.php?userId=1828&img=test.gif" />
Please google the word Pseudostreaming you will get the answer
There are some servers like lighttpd which has inherent support for flv streaming....
I hope you will get the answer.........
Apache with mod_flvx module also has similar effect like lighttpd.

Categories