Media Security & Acceptance 2021
In this post I would like to go through how people are downloading your media starting with the very basic and ending up in the most complex online security setups with DRM providers.
I have been working as a developer focusing on Media streaming for around 10 years and for the past 5 focussing on online Media security.
let’s get started and begin with the basics.
You steam your media via a url using http there are other methods like rtmp:// but lets focus on http.
Here is a url to a video.
If you paste this url in browser we will be using Chrome you will notice the video will start playing.
Obviously this has no security you can simply right click and save the video as.
This technology has been around for years and is mainly used to prevent users from hot linking your assets which means basically using your assets on their websites the urls are normally signed with a time frame and signature that changes on each page load.
The problem with this method is the signature request needs to be signed for the whole duration of the video so if your video is 30 minutes in length the timeframe would need to be 30 minutes giving the user plenty of time to grab the url and download.
How do user grab the download urls?
Simple! inspector tools all web browser not just Chrome have inspector tools that allow users to view the contents of the page to help with development.
In Chrome if you right click and inspect element you will see the dev tools some people try to prevent the user from right clicking but this is pointless as you can use keyboard shortcuts like cmd+shft+c.
Let’s do this with the video above right click and inspect element and a sidebar will appear click the network tab at the top and refresh the page.
If you look under the media tab you will see the video url you can right click this and open in new tab and download the media even if the urls is signed.
Ok that was very simple lets move onto more advanced technologies like HLS Adaptive Aitrate this works by taking a piece of media like the one above and encoding it into different renditions or playlists. From the above url we could encode it to have 2 playlists 360p 720p resolutions the technology will constantly monitor your internet connection speed and adapt (hence adaptive bitrate) and switch to the best resolution for your connection speed exactly like when you see the large services like Netflix and prime pixellate.
When encoded the video is split into multiple .ts segments.
Take this example
Open this up in Safari as chrome doesn’t support HLS Adaptive Bitrate, again open up developer tools and view the network tab.
Under Network All you will see it downloading each individual segment for playback and switch it you connection speed changes.
You maybe thinking this is more secure unfortunately think again this is easily download via browser extensions like.
- Chrome: Sky Downloader https://chrome.google.com/webstore/detail/video-downloader-by-skylo/pebcmofchocakhnljflecpkhadfplaea?hl=en-US
- Firefox: Video Download Helper https://addons.mozilla.org/en-GB/firefox/addon/video-downloadhelper/
- CoCo Browser: https://coccoc.com/home/en/
And Many More…
Because there is no protection anyone with access to the link can download the hls segments and use a tool like ffmpeg to piece them back together into an mp4.
ffmpeg -i master.m3u8 -acodec copy -vcodec copy out.mp4
What you can do is in the encoding process is encrypt each .ts segment with a key you then store this key and make the user request the key to download the file.
This works and will prevent browser extension from easily download your videos. But let’s move on.
Let take a minute to talk about the large video service and protection.
Spotify you can download any track on Spotify with this tool DRMare Music Convertor https://www.drmare.com/music-converter/ it routes audio though the sound card to record the tracks so there is no real way around this as your music obviously has to be played through the sound card to play.
Youtube: There are many websites that will simply download YouTube videos for you most of them will be using this tool. https://github.com/ytdl-org/youtube-dl this can be easily installed on your computer like this.
sudo curl -L https://yt-dl.org/downloads/latest/youtube-dl -o /usr/local/bin/youtube-dl sudo chmod a+rx /usr/local/bin/youtube-dl
You can then run youtube-dl [OPTIONS] URL [URL…] and download any YouTube content you like.
You can also download videos from these site with this tool. http://ytdl-org.github.io/youtube-dl/supportedsites.html
Vimeo seems to have given up on videos security and you can’t really blame them.
All these website use DRM which stands for Digital Right Management it works similar to above by encoding your videos and storing a key on a licence server these are indeed a minefield and painful as you need multiple ones to support different browsers and platforms here is a list the main ones are Widevine, Playready & Fairplay.
Lets say you have spent weeks of development and working with multiple DRM providers
All being encoded through AWS Speke setups.
You content has to be secure then right? Wrong…
Enter screen recorders you can open Netflix AppleTV and PrimeVideo all through Chrome Browser and set the screen size and record any Episode, Series, Movie you like with one disadvantage you have to wait for the whole length of the movie a little inconvenience it really is painfully millions of pounds spent on security and its really that easy.
You can download free streaming software OBS and simply click start recording https://obsproject.com.
You have to give AppleTV props for there desktop app as this does prevent screen recording but it doesn’t stop you opening AppleTV in Chrome and recording through there.
By now you are probably utterly depressed losing your mind thinking there must be a way.
Ok one more thing with screen recording you can add a watermark that will display the users username and email while they watch your video this way if they chose to screen record at least you know who did it. They can however obviously setup a fake username and email and do it anyway but if your content is behind a paywall that may put someone of.
Also they can crop the username and email out when using the screen recording software, you can make the username and email move around the video not staying in one place this will prevent the user from screen recording but you will have customers complaining about there username and email floating around the screen.
Acceptance – The Power of Acceptance: Stop Resisting and Change Direction
I guess at this stage we should talk about acceptance in no way am I saying do not add security! add as much as possible to prevent the 90% from downloading your media most people are using DRM providers simple because it is industry standard and the companies required this to approve it to be distributed but it can be easily recorded and shared.
People tend to feel like they have discovered the holy grail when finding and running these technologies, when in reality they have been around for years and you don’t have to be a genius hacker to use them. Someone who has some basic knowledge with computers can easily run them. Again it’s really down to how much someone wants your content and what lengths they are willing to go to get it.
When it comes to linear tv this again is super easy to rip you can download many tools and capture devices from Amazon from under £30 that will easily download and save content directly from your TV.
If someone wants your content bad enough they will get it.
If you are producing quality content with an easy to use interface this should out way the prospect of using an illegal site to stream media, lets face it the only reason you would ever think about going to an illegal site is if you can’t get the content on one of the large ones most people are happy to pay for a quality service.
Spotify started off illegally streaming music https://gizmodo.com/early-spotify-was-built-on-pirated-mp3-files-new-book-1795109991.
YouTube is absolutely full of copyrighted content that they choose not to remove as it would hurt their business plan it could be easily prevented in their upload process.
Media streaming is a minefield I have setup all these technologies most of it is down to the requirements of the client so it definitely has its place.
The only real way to prevent videos from being downloaded or screen shared on desktop is not to use browsers to stream your media. Build a desktop media player app that can monitor your system to see what services are running like ffmpeg or screen recorders like NowTV or AppleTv.
Oh and last thing let’s not forget the good old fashioned sticking a camera in from of a screen like people used to do in movies theatre with their hidden cameras of maybe they still do who knows.
Any suggestions or thought I would love to hear them.