Securing Video

[Jonathon]

Hi Larry,

 

I seem to be fighting a losing battle, I have a sports club website, which is going to have instructional coaching videos on. These videos are only for members of the club, so they are behind password protected pages. I need to keep these videos secure so that members can just view them, if I use HTML5 it seems as simple as saving an image that you can just save a HTML5 video. If I use something like unlisted videos in Youtube, it isn't that hard to just watch on youtube and get the link to the video and always have it, therefore they could just distribute the link to other people outside the club or worse, it seems that there are apps knocking about that will download and save youtube videos.

 

I know that these are members of our club, unfortunately, there is a degree of movement between members of our club and other clubs, plus often families will have kids in different clubs.

 

We know that we have a very good series of coaching videos so it's important that we protect all the videos.

 

What if anything could be done to secure the safety of my videos?

 

Hope you're well,

 

Jonathon

[rob]

Yeah this is the big stumbling block for html5 video.

 

You could store the files outside the document root and access them through a proxy script and run them through a flash player (JW player is pretty easy to use). I think some sites do this with javascript, but it's not an area I'm familiar with.

 

Alternatively, store the assets on Amazon S3 and set up bucket permissions to only allow linking from the server ip address the sports club website is hosted on. Then run it through a flash player on the website. You might also want to take a look at Amazon CDN which offers streaming. JW player has Amazon CloudFront support built in, but I've never used it.

 

Truth is though, if someone wants to copy your content, there's no way to prevent it; there are freely available tools for download that will rip flash/music/anything.

 

There are probably more options available which may suit your requirements better, I'll be interested to see what others have used/suggest.

[Jonathon]

Yeah it does seem a little tricky protect. HTML5 seems almost impossible to protect. To add to my problem, I'm doing it in WordPress, it's my first WP adventure really. I've got them in a folder outside my rootusing this plugin that is meant to secure html5 video, but it doesn't, you can just right click save the video. I don't have to use HTML5, I just gave it a bash as at least I could keep the videos looally, I didn't imagine it would be that hard to protect my DMR.

 

Thanks for your points Rob

[rob]

No worries,

 

Wanted to test this for myself, for anyone who was interested in a working example for locally stored video above the root directory for protection:

 

Downloaded latest JW player from http://www.longtailv.../jw-flv-player/

 

Created a page with the following code:

(include player.swf in same directory your viewer page)

 

<script type='text/javascript' src='jwplayer.js'></script>

<div id='mediaspace'>This text will be replaced</div>

<script type='text/javascript'>
jwplayer('mediaspace').setup({
 'flashplayer': 'player.swf',
 'file': 'proxy.php',
 'controlbar': 'bottom',
 'provider': 'video',
 'width': '470',
 'height': '320'
});
</script>

 

Created a directory above the document root called video (I know original); remember to check directory perms.

 

Found the absolute path to video directory

 

Created a proxy script called proxy.php (place in same directory as viewer page), with the following:

 

<?php

$file = "[ABSOLUTE_PATH_TO_VIDEO_DIR]" . 'video.mp4';

header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
header("Cache-Control: no-store, must-revalidate");
header("Content-Type: video/mp4");
header('Content-Length: ' . filesize($file));

readfile($file);

 

Obviously change ABSOLUTE_PATH_TO_VIDEO_DIR to whatever that is on your development/production server.

 

To play different video files pass the page with the player embedded a $_GET variable and then just send this to the proxy.php script:

 

proxy.php?video=your_get_var

 

Append to the end of $file instead of video.mp4 in the above example.

 

JW player also offers a setup wizard at http://www.longtailv...er-setup-wizard which shows an option for a playlist, which may be a better way of doing it, but I've run out of time to check.

 

NB:

 

JW player does offer HTML5 video with fallback to flash, but this was about protecting content so I haven't bothered with it.

 

This is just a quick proof of concept, I haven't included any validation in the proxy script; however, should be a good starting point for anyone who's interested.

[Jonathon]

Rob,

 

Thanks for the effort with this, I shall see about how to integrate this concept into WordPress. It's a problem that the movie industry have failed to solve ever since the web was born. I must admit I am not a fan of WordPress really, for 1 real reason, I'm sick of seeing "Web Developers" who wouldn't know what PHP was if it hit them in their face, yet make fortunes by pointing and clicking. But I must agree the platform itself is a good thing. But I'm fighting a losing battle with negativity, it doesn't hurt to be versed in the number 1 CMS.

 

Thanks Again

[Paul Swanson]

In addition to Rob's suggestion, you could use a .htaccess file in the directory housing the video to protect it from browsing. This will prevent any browser from accessing the directory (but PHP will still be able to access it):

 

# disable directory browsing
Options All -Indexes

# prevent folder listing
IndexIgnore *

# prevent access to any file
<FilesMatch "^.*$">
Order Allow,Deny
Deny from all
</FilesMatch>

[Jonathon]

Thanks Paul,

 

I currently have the videos outside the document root, but i'll drop in a .htaccess file anyway. I'd no idea it would have been this easy to just download videos online. I'm surprised that HTML5 doesn't allow some form of DMR protection really. But it's not much harder in HTML4 really.

[Larry]

This has been a good discussion. Thanks to everyone for their input!