Stopping content thieves from taking your Flash video content requires a little extra work and some resources.  If you follow these guidelines, then your content won’t show up on PirateBay or YouTube.

There are lots of applications and plug-ins out there to allow you to capture video streams off the Internet.  It’s so easy that you may think there is no way to protect your content at all.  The following with give you some advice on how to protect your videos and sleep better at night.  You’re going to employ some extra services or buy some software, but if your content is valuable then it’s worth the investment.

Protecting Windows Media content has been fairly easy for quite some time.  You can use the Windows Media DRM suite which will attach a digital certificate to the WMV file and require an active and valid cert to be downloaded in order to watch the video.  Although this system isn’t fool proof, it’s pretty strong and will stop most people dead in their tracks.  Microsoft is gearing up to roll out PlayReady which will plug the holes up in WM DRM.  It fully supports Silverlight in both Windows and Mac OS, and will be easy to use (so they say).  Look for a full deployment of PlayReady this summer.

But how do you protect Flash videos, specifically FLV, F4V, and MP4?  If you deliver your content via progressive download, then there will be little chance you can stop someone from taking that video from you with little effort.  Progressive download is literally downloading the file to the end user PC.  Where’s the protection?

There is no technology today to add DRM to the file itself.  Although there are some services out there that will offer something like that, they typically require you to use their proprietary Flash player in order to protect the content, who wants to do that?

So that leaves us with one option, protect the delivery of the video.  You may immediately think you can just stream the video using a Flash Media Server or Wowza server.  Think again.  Products like Replay Media Capture can snatch that stream right up.  What you need to do is stream the video using a Flash Media Server using RTMPE instead of RTMP.  You also need to disable RTMP from the server all together.  Adobe had a security warning about this awhile back.  Leaving RTMP on, allows for a back door.  RTMPE will encrypt the stream during delivery makeing it very difficult to de-compile and capture.

Are we done yet?  Nope, I’m just getting started…  What’s to prevent someone from discovering your stream name and then embedding that in their own Flash player?  You need to use SWF verification.  SWF verification will will ensure that the SWF playing the video is your SWF and not someone elses.  Again, you will need Flash Media Server to do this with.

Are we done now?  Not quite.  You’ll be delivering your SWF via HTTP to the browser, so it wouldn’t be too hard to locate that file and WGET it.  Now I have your player I can play it all I want.  What do you do now?  Use a Token based authentication with a time expiring URL.  These schemes usually use a MD5 128-Encrypted hash.  What will happen is, a unique URL will be used to play the video each and every time someone visits your site.  The URL will pass a token back to a secure server proving that the hash is authentic.  Then an time expire value is appended to the URL that will expire that link in a matter of seconds or a minute.  Nothing too long.  Access to the link is the only thing expiring, not the content.  So as long as the person has started watching the video with in that time frame, there is no problem even if the video is 2 hours long.  If they need to re-watch it, then they visit the site again and get a new URL.

All of this sounds like a lot of hassle and expense, is there an easier way?  If you deliver your videos through a CDN who uses FMS, then they probably offer all these services, you won’t have to incur any of these expenses.  Try a company called Influxis, they host FMS servers and you can setup a FMS how ever you want with minimal cost.

For a higher end solution, check out WideVine.  Widevine uses some proprietary technology which goes beyond what I’ve mentioned here.  Widevine’s intuitive DRM management tools offer total control over the encryption, key management, distribution and consumption of digital media. Using Widevine Cypher, pre-configured policies, digital rights and encryption are applied to inbound assets, automatically registered with Widevine and the CMS, then uploaded to a destination partner network or CDN.  Just know, that WideVine doesn’t come cheap!

I hope this information is useful for you.  Like all security on a computer, as soon as you plug a hole, another one is dug.  The goal is to stay one step ahead of the bad guys.

If you have any questions about this topic, please feel free to post them here and I will respond.

Thanks,

Mike Colburn (DigitalMediaGuy)